The tag helper may bypass escaping.

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7608 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

The tag helper may bypass escaping.
git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@7608 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
4b33306c · Jeremy Kemper · 38454983 · 4b33306c · 4b33306c · 4b33306c
3 changed file
--- a/actionpack/CHANGELOG
+++ b/actionpack/CHANGELOG
 *SVN*

+* The tag helper may bypass escaping.  [Jeremy Kemper]
+
 * Cache asset ids.  [Jeremy Kemper]

 * Optimized named routes respect AbstractRequest.relative_url_root.  #9612 [danielmorrison, Jeremy Kemper]

--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -11,9 +11,10 @@ module TagHelper
      BOOLEAN_ATTRIBUTES = Set.new(%w(disabled readonly multiple))

      # Returns an empty HTML tag of type +name+ which by default is XHTML 
-      # compliant. Setting +open+ to true will create an open tag compatible 
+      # compliant. Set +open+ to true to create an open tag compatible 
      # with HTML 4.0 and below. Add HTML attributes by passing an attributes 
-      # hash to +options+. 
+      # hash to +options+. Set +escape+ to false to disable attribute value
+      # escaping.
      #
      # ==== Options
      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and 
@@ -30,16 +31,20 @@ module TagHelper
      #   tag("input", { :type => 'text', :disabled => true }) 
      #   # => <input type="text" disabled="disabled" />
      #
-      #   tag("img", { :src => "open.png" })
-      #   # => <img src="open.png" />
-      def tag(name, options = nil, open = false)
-        "<#{name}#{tag_options(options) if options}" + (open ? ">" : " />")
+      #   tag("img", { :src => "open & shut.png" })
+      #   # => <img src="open &amp; shut.png" />
+      #
+      #   tag("img", { :src => "open &amp; shut.png" }, false, false)
+      #   # => <img src="open &amp; shut.png" />
+      def tag(name, options = nil, open = false, escape = true)
+        "<#{name}#{tag_options(options, escape) if options}" + (open ? ">" : " />")
      end

      # Returns an HTML block tag of type +name+ surrounding the +content+. Add
      # HTML attributes by passing an attributes hash to +options+. 
      # Instead of passing the content as an argument, you can also use a block
      # in which case, you pass your +options+ as the second parameter.
+      # Set escape to false to disable attribute value escaping.
      #
      # ==== Options
      # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and 
@@ -58,15 +63,15 @@ def tag(name, options = nil, open = false)
      #     Hello world!
      #   <% end -%>
      #    # => <div class="strong"><p>Hello world!</p></div>
-      def content_tag(name, content_or_options_with_block = nil, options = nil, &block)
+      def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
        if block_given?
          options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
          content = capture(&block)
-          content_tag = content_tag_string(name, content, options)
+          content_tag = content_tag_string(name, content, options, escape)
          block_is_within_action_view?(block) ? concat(content_tag, block.binding) : content_tag
        else
          content = content_or_options_with_block
-          content_tag_string(name, content, options)
+          content_tag_string(name, content, options, escape)
        end
      end

@@ -98,19 +103,23 @@ def escape_once(html)
      end

      private
-        def content_tag_string(name, content, options)
-          tag_options = tag_options(options) if options
+        def content_tag_string(name, content, options, escape = true)
+          tag_options = tag_options(options, escape) if options
          "<#{name}#{tag_options}>#{content}</#{name}>"
        end

-        def tag_options(options)
+        def tag_options(options, escape = true)
          unless options.blank?
            attrs = []
-            options.each do |key, value|
-              next unless value
-              key = key.to_s
-              value = BOOLEAN_ATTRIBUTES.include?(key) ? key : escape_once(value)
-              attrs << %(#{key}="#{value}")
+            if escape
+              options.each do |key, value|
+                next unless value
+                key = key.to_s
+                value = BOOLEAN_ATTRIBUTES.include?(key) ? key : escape_once(value)
+                attrs << %(#{key}="#{value}")
+              end
+            else
+              attrs = options.map { |key, value| %(#{key}="#{value}") }
            end
            " #{attrs.sort * ' '}" unless attrs.empty?
          end

--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -73,4 +73,8 @@ def test_skip_invalid_escaped_attributes
      assert_equal %(<a href="#{escaped.gsub /&/, '&amp;'}" />), tag('a', :href => escaped)
    end
  end
+
+  def test_disable_escaping
+    assert_equal '<a href="&amp;" />', tag('a', { :href => '&amp;' }, false, false)
+  end
 end