Made markdown honor :safe option and handle safe input. Also added tests for markdown.

[#4794 state:resolved] Signed-off-by: N José Valim <jose.valim@gmail.com>

Made markdown honor :safe option and handle safe input. Also added tests for markdown.
[#4794 state:resolved] Signed-off-by: N José Valim <jose.valim@gmail.com>
47bf19c8 · rohit · José Valim · 9d33c2ab · 47bf19c8 · 47bf19c8
3 changed file
--- a/Gemfile
+++ b/Gemfile
@@ -46,6 +46,7 @@ end

 # AP
 gem "RedCloth", ">= 4.2.2"
+gem "bluecloth", ">= 2.0.7"

 group :documentation do
  gem 'rdoc', '2.1'

--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -298,8 +298,8 @@ def textilize_without_paragraph(text, *options)
      #
      #   markdown('![The ROR logo](http://rubyonrails.com/images/rails.png "Ruby on Rails")')
      #   # => '<p><img src="http://rubyonrails.com/images/rails.png" alt="The ROR logo" title="Ruby on Rails" /></p>'
-      def markdown(text, options = {})
-        text = sanitize(text) unless options[:safe]
+      def markdown(text, *options)
+        text = sanitize(text) unless text.html_safe? || options.delete(:safe)
        (text.blank? ? "" : BlueCloth.new(text).to_html).html_safe
      end


--- a/actionpack/test/template/text_helper_test.rb
+++ b/actionpack/test/template/text_helper_test.rb
@@ -7,6 +7,12 @@
  $stderr.puts "Skipping textilize tests. `gem install RedCloth` to enable."
 end

+begin
+  require 'bluecloth'
+rescue LoadError
+  $stderr.puts "Skipping markdown tests. 'gem install bluecloth' to enable."
+end
+
 class TextHelperTest < ActionView::TestCase
  tests ActionView::Helpers::TextHelper
  include TestingSandbox
@@ -726,4 +732,34 @@ def test_textilize_without_paragraph_with_hard_breaks
      assert_equal("This is one scary world.<br />\n True.", textilize_without_paragraph("This is one scary world.\n True."))
    end
  end
+
+  if defined? BlueCloth
+    def test_markdown_should_be_html_safe
+      assert markdown("We are using __Markdown__ now!").html_safe?
+    end
+
+    def test_markdown
+      assert_equal("<p>We are using <strong>Markdown</strong> now!</p>", markdown("We are using __Markdown__ now!"))
+    end
+
+    def test_markdown_with_blank
+      assert_equal("", markdown(""))
+    end
+
+    def test_markdown_should_sanitize_unsafe_input
+      assert_equal("<p>This is worded <strong>strongly</strong></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>"))
+    end
+
+    def test_markdown_should_not_sanitize_input_if_safe_option
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>", :safe))
+    end
+
+    def test_markdown_should_not_sanitize_safe_input
+      assert_equal("<p>This is worded <strong>strongly</strong><script>code!</script></p>", markdown("This is worded <strong>strongly</strong><script>code!</script>".html_safe))
+    end
+
+    def test_markdown_with_hard_breaks
+      assert_equal("<p>This is one scary world.</p>\n\n<p>True.</p>", markdown("This is one scary world.\n\nTrue."))
+    end
+  end
 end