1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
|
--- lib/action_view/helpers/text_helper.rb.orig 2011-06-16 21:02:32.000000000 -0400
+++ lib/action_view/helpers/text_helper.rb 2011-06-16 21:07:58.000000000 -0400
@@ -115,13 +115,12 @@ module ActionView
end
options.reverse_merge!(:highlighter => '<strong class="highlight">\1</strong>')
- text = sanitize(text) unless options[:sanitize] == false
- if text.blank? || phrases.blank?
- text
- else
+ if text.present? && phrases.present?
match = Array(phrases).map { |p| Regexp.escape(p) }.join('|')
- text.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
- end.html_safe
+ text = text.to_str.gsub(/(#{match})(?!(?:[^<]*?)(?:["'])[^<>]*>)/i, options[:highlighter])
+ end
+ text = sanitize(text) unless options[:sanitize] == false
+ text
end
# Extracts an excerpt from +text+ that matches the first instance of +phrase+.
@@ -251,14 +250,16 @@ module ActionView
# simple_format("Look ma! A class!", :class => 'description')
# # => "<p class='description'>Look ma! A class!</p>"
def simple_format(text, html_options={}, options={})
- text = ''.html_safe if text.nil?
+ text = text ? text.to_str : ''
+ text = text.dup if text.frozen?
start_tag = tag('p', html_options, true)
- text = sanitize(text) unless options[:sanitize] == false
text.gsub!(/\r\n?/, "\n") # \r\n and \r -> \n
text.gsub!(/\n\n+/, "</p>\n\n#{start_tag}") # 2+ newline -> paragraph
text.gsub!(/([^\n]\n)(?=[^\n])/, '\1<br />') # 1 newline -> br
text.insert 0, start_tag
- text.html_safe.safe_concat("</p>")
+ text.concat("</p>")
+ text = sanitize(text) unless options[:sanitize] == false
+ text
end
# Turns all URLs and e-mail addresses into clickable links. The <tt>:link</tt> option
@@ -477,7 +478,7 @@ module ActionView
# is yielded and the result is used as the link text.
def auto_link_urls(text, html_options = {}, options = {})
link_attributes = html_options.stringify_keys
- text.gsub(AUTO_LINK_RE) do
+ text.to_str.gsub(AUTO_LINK_RE) do
scheme, href = $1, $&
punctuation = []
@@ -494,14 +495,12 @@ module ActionView
end
end
- link_text = block_given?? yield(href) : href
+ link_text = block_given? ? yield(href) : href
href = 'http://' + href unless scheme
- unless options[:sanitize] == false
- link_text = sanitize(link_text)
- href = sanitize(href)
- end
- content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
+ sanitize = options[:sanitize] != false
+ content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
+
end
end.html_safe
end
@@ -509,18 +508,14 @@ module ActionView
# Turns all email addresses into clickable links. If a block is given,
# each email is yielded and the result is used as the link text.
def auto_link_email_addresses(text, html_options = {}, options = {})
- text.gsub(AUTO_EMAIL_RE) do
+ text.to_str.gsub(AUTO_EMAIL_RE) do
text = $&
if auto_linked?($`, $')
text.html_safe
else
- display_text = (block_given?) ? yield(text) : text
-
- unless options[:sanitize] == false
- text = sanitize(text)
- display_text = sanitize(display_text) unless text == display_text
- end
+ display_text = block_given? ? yield(text) : text
+ display_text = sanitize(display_text) unless options[:sanitize] == false
mail_to text, display_text, html_options
end
end
--- test/template/text_helper_test.rb.orig 2011-06-16 21:03:06.000000000 -0400
+++ test/template/text_helper_test.rb 2011-06-16 21:10:53.000000000 -0400
@@ -48,6 +48,11 @@ class TextHelperTest < ActionView::TestC
assert_equal "<p><b> test with unsafe string </b><script>code!</script></p>", simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false)
end
+ def test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false
+ assert !simple_format("<b> test with unsafe string </b><script>code!</script>", {}, :sanitize => false).html_safe?
+ end
+
+
def test_truncate_should_not_be_html_safe
assert !truncate("Hello World!", :length => 12).html_safe?
end
@@ -166,6 +171,13 @@ class TextHelperTest < ActionView::TestC
)
end
+ def test_highlight_on_an_html_safe_string
+ assert_equal(
+ "<p>This is a <b>beautiful</b> morning, but also a <b>beautiful</b> day</p>",
+ highlight("<p>This is a beautiful morning, but also a beautiful day</p>".html_safe, "beautiful", :highlighter => '<b>\1</b>')
+ )
+ end
+
def test_highlight_with_html
assert_equal(
"<p>This is a <strong class=\"highlight\">beautiful</strong> morning, but also a <strong class=\"highlight\">beautiful</strong> day</p>",
@@ -306,13 +318,10 @@ class TextHelperTest < ActionView::TestC
end
end
- def generate_result(link_text, href = nil, escape = false)
- href ||= link_text
- if escape
- %{<a href="#{CGI::escapeHTML href}">#{CGI::escapeHTML link_text}</a>}
- else
- %{<a href="#{href}">#{link_text}</a>}
- end
+ def generate_result(link_text, href = nil)
+ href = CGI::escapeHTML(href || link_text)
+ text = CGI::escapeHTML(link_text)
+ %{<a href="#{href}">#{text}</a>}
end
def test_auto_link_should_be_html_safe
@@ -323,6 +332,8 @@ class TextHelperTest < ActionView::TestC
assert auto_link('').html_safe?
assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
assert auto_link("hello #{email_raw}").html_safe?
+ assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
+ assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
end
def test_auto_link
@@ -419,7 +430,7 @@ class TextHelperTest < ActionView::TestC
def test_auto_link_should_sanitize_input_when_sanitize_option_is_not_false
link_raw = %{http://www.rubyonrails.com?id=1&num=2}
- assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
+ assert_equal %{<a href="http://www.rubyonrails.com?id=1&num=2">http://www.rubyonrails.com?id=1&num=2</a>}, auto_link(link_raw)
end
def test_auto_link_should_not_sanitize_input_when_sanitize_option_is_false
--- test/abstract_unit.rb.orig 2011-06-17 07:51:44.000000000 -0400
+++ test/abstract_unit.rb 2011-06-16 22:41:52.000000000 -0400
@@ -169,6 +169,7 @@ class BasicController
config.assets_dir = public_dir
config.javascripts_dir = "#{public_dir}/javascripts"
config.stylesheets_dir = "#{public_dir}/stylesheets"
+ config.assets = ActiveSupport::InheritableOptions.new({ :prefix => "assets" })
config
end
end
--- lib/action_view/helpers/url_helper.rb.orig 2011-06-16 22:39:58.000000000 -0400
+++ lib/action_view/helpers/url_helper.rb 2011-06-16 22:40:35.000000000 -0400
@@ -483,7 +483,7 @@ module ActionView
extras << "subject=#{Rack::Utils.escape(subject).gsub("+", "%20")}" unless subject.nil?
extras = extras.empty? ? '' : '?' + html_escape(extras.join('&'))
- email_address_obfuscated = email_address.dup
+ email_address_obfuscated = email_address.to_str
email_address_obfuscated.gsub!(/@/, html_options.delete("replace_at")) if html_options.has_key?("replace_at")
email_address_obfuscated.gsub!(/\./, html_options.delete("replace_dot")) if html_options.has_key?("replace_dot")
@@ -491,7 +491,7 @@ module ActionView
if encode == "javascript"
html = content_tag("a", name || email_address_obfuscated.html_safe, html_options.merge("href" => "mailto:#{email_address}#{extras}".html_safe))
- html = escape_javascript(html)
+ html = escape_javascript(html.to_str)
"document.write('#{html}');".each_byte do |c|
string << sprintf("%%%x", c)
end
--- lib/action_view/helpers/cache_helper.rb.orig 2011-06-16 22:38:31.000000000 -0400
+++ lib/action_view/helpers/cache_helper.rb 2011-06-16 22:39:35.000000000 -0400
@@ -53,7 +53,13 @@ module ActionView
# This dance is needed because Builder can't use capture
pos = output_buffer.length
yield
- fragment = output_buffer.slice!(pos..-1)
+ if output_buffer.is_a?(ActionView::OutputBuffer)
+ safe_output_buffer = output_buffer.to_str
+ fragment = safe_output_buffer.slice!(pos..-1)
+ self.output_buffer = ActionView::OutputBuffer.new(safe_output_buffer)
+ else
+ fragment = output_buffer.slice!(pos..-1)
+ end
controller.write_fragment(name, fragment, options)
end
end
--- test/template/text_helper_test.rb.orig 2011-06-17 08:28:21.000000000 -0400
+++ test/template/text_helper_test.rb 2011-06-17 08:30:42.000000000 -0400
@@ -324,16 +324,20 @@ class TextHelperTest < ActionView::TestC
%{<a href="#{href}">#{text}</a>}
end
- def test_auto_link_should_be_html_safe
+ def test_auto_link_should_no_be_html_safe
email_raw = 'santiago@wyeworks.com'
link_raw = 'http://www.rubyonrails.org'
- assert auto_link(nil).html_safe?
- assert auto_link('').html_safe?
- assert auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?
- assert auto_link("hello #{email_raw}").html_safe?
- assert !auto_link(link_raw.html_safe).html_safe?, 'should not be html safe'
- assert !auto_link(email_raw.html_safe).html_safe?, 'should not be html safe'
+ assert !auto_link(nil).html_safe?, 'should not be html safe'
+ assert !auto_link('').html_safe?, 'should not be html safe'
+ assert !auto_link("#{link_raw} #{link_raw} #{link_raw}").html_safe?, 'should not be html safe'
+ assert !auto_link("hello #{email_raw}").html_safe?, 'should not be html safe'
+ end
+
+ def test_auto_link_email_address
+ email_raw = 'aaron@tenderlovemaking.com'
+ email_result = %{<a href="mailto:#{email_raw}">#{email_raw}</a>}
+ assert !auto_link_email_addresses(email_result).html_safe?, 'should not be html safe'
end
def test_auto_link
--- lib/action_view/helpers/text_helper.rb.orig 2011-06-17 08:29:06.000000000 -0400
+++ lib/action_view/helpers/text_helper.rb 2011-06-17 08:29:25.000000000 -0400
@@ -300,7 +300,7 @@ module ActionView
# # => "Welcome to my new blog at <a href=\"http://www.myblog.com/\" target=\"_blank\">http://www.myblog.com</a>.
# Please e-mail me at <a href=\"mailto:me@email.com\">me@email.com</a>."
def auto_link(text, *args, &block)#link = :all, html = {}, &block)
- return ''.html_safe if text.blank?
+ return '' if text.blank?
options = args.size == 2 ? {} : args.extract_options! # this is necessary because the old auto_link API has a Hash as its last parameter
unless args.empty?
@@ -502,7 +502,7 @@ module ActionView
content_tag(:a, link_text, link_attributes.merge('href' => href), sanitize) + punctuation.reverse.join('')
end
- end.html_safe
+ end
end
# Turns all email addresses into clickable links. If a block is given,
|
