Add <%= escape_once html %> to escape html while leaving any currently escaped...

Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone.  Fix button_to double-escaping issue. [Rick]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@5322 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

actionpack/CHANGELOG

 *SVN*
 
+* Add <%= escape_once html %> to escape html while leaving any currently escaped entities alone.  Fix button_to double-escaping issue. [Rick]
+
 * Fix double-escaped entities, such as &amp;amp;, &amp;#123;, etc. [Rick]
 
 * Fix deprecation warnings when rendering the template error template. [Nicholas Seckar]

actionpack/lib/action_view/helpers/tag_helper.rb

@@ -31,10 +31,19 @@ def cdata_section(content)
         "<![CDATA[#{content}]]>"
       end
 
+      # Escapes a given string, while leaving any currently escaped entities alone.
+      #
+      #   escape_once("1 > 2 &amp; 3")
+      #   # => "1 &lt; 2 &amp; 3"
+      #
+      def escape_once(html)
+        fix_double_escape(html_escape(html.to_s))
+      end
+
       private
         def tag_options(options)
           cleaned_options = convert_booleans(options.stringify_keys.reject {|key, value| value.nil?})
-          ' ' + cleaned_options.map {|key, value| %(#{key}="#{fix_double_escape(html_escape(value.to_s))}")}.sort * ' ' unless cleaned_options.empty?
+          ' ' + cleaned_options.map {|key, value| %(#{key}="#{escape_once(value)}")}.sort * ' ' unless cleaned_options.empty?
         end
 
         def convert_booleans(options)

actionpack/lib/action_view/helpers/url_helper.rb

@@ -131,8 +131,8 @@ def button_to(name, options = {}, html_options = nil)
         name ||= url
 
         html_options.merge!("type" => "submit", "value" => name)
-
-        "<form method=\"#{form_method}\" action=\"#{h url}\" class=\"button-to\"><div>" + 
+        
+        "<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + 
           method_tag + tag("input", html_options) + "</div></form>"
       end
 

actionpack/test/template/tag_helper_test.rb

@@ -39,6 +39,10 @@ def test_cdata_section
     assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
   end
   
+  def test_escape_once
+    assert_equal '1 &lt; 2 &amp; 3', escape_once('1 < 2 &amp; 3')
+  end
+  
   def test_double_escaping_attributes
     ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
       assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)

actionpack/test/template/url_helper_test.rb

@@ -38,6 +38,10 @@ def test_button_to_with_query
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&q2=v2")
   end
 
+  def test_button_to_with_escaped_query
+    assert_dom_equal "<form method=\"post\" action=\"http://www.example.com/q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"Hello\" /></div></form>", button_to("Hello", "http://www.example.com/q1=v1&amp;q2=v2")
+  end
+
   def test_button_to_with_query_and_no_name
     assert_dom_equal "<form method=\"post\" action=\"http://www.example.com?q1=v1&amp;q2=v2\" class=\"button-to\"><div><input type=\"submit\" value=\"http://www.example.com?q1=v1&amp;q2=v2\" /></div></form>", button_to(nil, "http://www.example.com?q1=v1&q2=v2")
   end