--- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400 +++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400 @@ -115,13 +115,12 @@ module ActionView end options.reverse_merge!(:highlighter => '\1') - text = sanitize(text) unless options[:sanitize] == false - if text.blank? || phrases.blank? - text - else + if text.present? && phrases.present? match = Array(phrases).map { |p| Regexp.escape(p) }.join('|') - text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) - end.html_safe + text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter]) + end + text = sanitize(text) unless options[:sanitize] == false + text end # Extracts an excerpt from +text+ that matches the first instance of +phrase+. @@ -251,14 +250,16 @@ module ActionView # simple_format("Look ma! A class!", :class => 'description') # # => "

Look ma! A class!

" def simple_format(text, html_options={}, options={}) - text = ''.html_safe if text.nil? + text = text ? text.to_str : '' + text = text.dup if text.frozen? start_tag = tag('p', html_options, true) - text = sanitize(text) unless options[:sanitize] == false text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n text.gsub!(/\n\n+/, "

\n\n#{start_tag}") # 2+ newline -> paragraph text.gsub!(/([^\n]\n)(?=[^\n])/, '\1
') # 1 newline -> br text.insert 0, start_tag - text.html_safe.safe_concat("

") + text.concat("

") + text = sanitize(text) unless options[:sanitize] == false + text end # Turns all URLs and e-mail addresses into clickable links. The :link option @@ -477,7 +478,7 @@ module ActionView # is yielded and the result is used as the link text. def auto_link_urls(text, html_options = {}, options = {}) link_attributes = html_options.stringify_keys - text.gsub(AUTO_LINK_RE) do + text.to_str.gsub(AUTO_LINK_RE) do scheme, href = $1, $& punctuation = [] @@ -494,14 +495,12 @@ module ActionView end end - link_text = block_given?? yield(href) : href + link_text = block_given? ? yield(href) : href href = 'http://' + href unless scheme - unless options[:sanitize] == false - link_text = sanitize(link_text) - href = sanitize(href) - end - content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('') + sanitize = options[:sanitize] != false + content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') + end end.html_safe end @@ -509,18 +508,14 @@ module ActionView # Turns all email addresses into clickable links. If a block is given, # each email is yielded and the result is used as the link text. def auto_link_email_addresses(text, html_options = {}, options = {}) - text.gsub(AUTO_EMAIL_RE) do + text.to_str.gsub(AUTO_EMAIL_RE) do text = $& if auto_linked?($`, $') text.html_safe else - display_text = (block_given?) ? yield(text) : text - - unless options[:sanitize] == false - text = sanitize(text) - display_text = sanitize(display_text) unless text == display_text - end + display_text = block_given? ? yield(text) : text + display_text = sanitize(display_text) unless options[:sanitize] == false mail_to text, display_text, html_options end end --- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400 +++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400 @@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC assert_equal "

test with unsafe string

", simple_format(" test with unsafe string ", {}, :sanitize => false) end + def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false + assert !simple_format(" test with unsafe string ", {}, :sanitize => false).html_safe? + end + + def test_truncate_should_not_be_html_safe assert !truncate("Hello World!", :length => 12).html_safe? end @@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC ) end + def test_highlight_on_an_html_safe_string + assert_equal( + "

This is a beautiful morning, but also a beautiful day

", + highlight("

This is a beautiful morning, but also a beautiful day

".html_safe, "beautiful", :highlighter => '\1') + ) + end + def test_highlight_with_html assert_equal( "

This is a beautiful morning, but also a beautiful day

", @@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC end end - def generate_result(link_text, href = nil, escape = false) - href ||= link_text - if escape - %{#{CGI::escapeHTML link_text}} - else - %{#{link_text}} - end + def generate_result(link_text, href = nil) + href = CGI::escapeHTML(href || link_text) + text = CGI::escapeHTML(link_text) + %{#{text}} end def test_auto_link_should_be_html_safe @@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC assert auto_link('').html_safe? assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? assert auto_link("hello #{email_raw}").html_safe? + assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' + assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' end def test_auto_link @@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false link_raw = %{http://www.rubyonrails.com?id=1&num=2} - assert_equal %{http://www.rubyonrails.com?id=1&num=2}, auto_link(link_raw) + assert_equal %{http://www.rubyonrails.com?id=1&num=2}, auto_link(link_raw) end def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false --- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400 +++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400 @@ -169,6 +169,7 @@ class BasicController config.assets_dir = public_dir config.javascripts_dir = "#{public_dir}/javascripts" config.stylesheets_dir = "#{public_dir}/stylesheets" + config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" }) config end end --- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400 +++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400 @@ -483,7 +483,7 @@ module ActionView extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil? extras = extras.empty? ? '' : '?' + html_escape(extras.join('&')) - email_address_obfuscated = email_address.dup + email_address_obfuscated = email_address.to_str email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at") email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot") @@ -491,7 +491,7 @@ module ActionView if encode == "javascript" html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe)) - html = escape_javascript(html) + html = escape_javascript(html.to_str) "document.write('#{html}');".each_byte do |c| string << sprintf("%%%x", c) end --- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400 +++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400 @@ -53,7 +53,13 @@ module ActionView # This dance is needed because Builder can't use capture pos = output_buffer.length yield - fragment = output_buffer.slice!(pos..-1) + if output_buffer.is_a?(ActionView::OutputBuffer) + safe_output_buffer = output_buffer.to_str + fragment = safe_output_buffer.slice!(pos..-1) + self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer) + else + fragment = output_buffer.slice!(pos..-1) + end controller.write_fragment(name, fragment, options) end end --- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400 +++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400 @@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC %{#{text}} end - def test_auto_link_should_be_html_safe + def test_auto_link_should_no_be_html_safe email_raw = 'santiago@wyeworks.com' link_raw = 'http://www.rubyonrails.org' - assert auto_link(nil).html_safe? - assert auto_link('').html_safe? - assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe? - assert auto_link("hello #{email_raw}").html_safe? - assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe' - assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe' + assert !auto_link(nil).html_safe?, 'should not be html safe' + assert !auto_link('').html_safe?, 'should not be html safe' + assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe' + assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe' + end + + def test_auto_link_email_address + email_raw = 'aaron@tenderlovemaking.com' + email_result = %{#{email_raw}} + assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe' end def test_auto_link --- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400 +++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400 @@ -300,7 +300,7 @@ module ActionView # # => "Welcome to my new blog at http://www.myblog.com. # Please e-mail me at me@email.com." def auto_link(text, *args, &block)#link = :all, html = {}, &block) - return ''.html_safe if text.blank? + return '' if text.blank? options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter unless args.empty? @@ -502,7 +502,7 @@ module ActionView content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('') end - end.html_safe + end end # Turns all email addresses into clickable links. If a block is given,