From aabbcef13554227abe2a842ee151fdcf17fbf1d7 Mon Sep 17 00:00:00 2001 From: Vladimir Dobriakov Date: Tue, 4 Nov 2008 13:46:36 +0100 Subject: [PATCH] fixed issue 1238 FormTagHelper generates illegal html if name contains e.g. square brackets --- .../lib/action_view/helpers/form_tag_helper.rb | 14 ++++++-- actionpack/test/template/form_tag_helper_test.rb | 35 +++++++++++++++++++- 2 files changed, 44 insertions(+), 5 deletions(-) diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb index 7492348..4646bc1 100644 --- a/actionpack/lib/action_view/helpers/form_tag_helper.rb +++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb @@ -78,7 +78,7 @@ module ActionView # # def select_tag(name, option_tags = nil, options = {}) html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name - content_tag :select, option_tags, { "name" => html_name, "id" => name }.update(options.stringify_keys) + content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys) end # Creates a standard text field; use these text fields to input smaller chunks of text like a username @@ -112,7 +112,7 @@ module ActionView # text_field_tag 'ip', '0.0.0.0', :maxlength => 15, :size => 20, :class => "ip-input" # # => def text_field_tag(name, value = nil, options = {}) - tag :input, { "type" => "text", "name" => name, "id" => name, "value" => value }.update(options.stringify_keys) + tag :input, { "type" => "text", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys) end # Creates a label field @@ -130,7 +130,7 @@ module ActionView # label_tag 'name', nil, :class => 'small_label' # # => def label_tag(name, text = nil, options = {}) - content_tag :label, text || name.to_s.humanize, { "for" => name }.update(options.stringify_keys) + content_tag :label, text || name.to_s.humanize, { "for" => sanitize_to_id(name) }.update(options.stringify_keys) end # Creates a hidden form input field used to transmit data that would be lost due to HTTP's statelessness or @@ -282,7 +282,7 @@ module ActionView # check_box_tag 'eula', 'accepted', false, :disabled => true # # => def check_box_tag(name, value = "1", checked = false, options = {}) - html_options = { "type" => "checkbox", "name" => name, "id" => name, "value" => value }.update(options.stringify_keys) + html_options = { "type" => "checkbox", "name" => name, "id" => sanitize_to_id(name), "value" => value }.update(options.stringify_keys) html_options["checked"] = "checked" if checked tag :input, html_options end @@ -470,6 +470,12 @@ module ActionView tag(:input, :type => "hidden", :name => request_forgery_protection_token.to_s, :value => form_authenticity_token) end end + + # see http://www.w3.org/TR/html4/types.html#type-name + def sanitize_to_id(name) + name.to_s.gsub(']','').gsub(/[^-a-zA-Z0-9:.]/, "_") + end + end end end diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb index 1849a61..de82647 100644 --- a/actionpack/test/template/form_tag_helper_test.rb +++ b/actionpack/test/template/form_tag_helper_test.rb @@ -12,12 +12,19 @@ class FormTagHelperTest < ActionView::TestCase @controller = @controller.new end + VALID_HTML_ID = /^[A-Za-z][-_:.A-Za-z0-9]*$/ # see http://www.w3.org/TR/html4/types.html#type-name + def test_check_box_tag actual = check_box_tag "admin" expected = %() assert_dom_equal expected, actual end + def test_check_box_tag_id_sanitized + label_elem = root_elem(check_box_tag("project[2][admin]")) + assert_match VALID_HTML_ID, label_elem['id'] + end + def test_form_tag actual = form_tag expected = %(
) @@ -64,6 +71,11 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal expected, actual end + def test_hidden_field_tag_id_sanitized + input_elem = root_elem(hidden_field_tag("item[][title]")) + assert_match VALID_HTML_ID, input_elem['id'] + end + def test_file_field_tag assert_dom_equal "", file_field_tag("picsplz") end @@ -118,6 +130,11 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal expected, actual end + def test_select_tag_id_sanitized + input_elem = root_elem(select_tag("project[1]people", "")) + assert_match VALID_HTML_ID, input_elem['id'] + end + def test_text_area_tag_size_string actual = text_area_tag "body", "hello world", "size" => "20x40" expected = %() @@ -184,6 +201,11 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal expected, actual end + def test_text_field_tag_id_sanitized + input_elem = root_elem(text_field_tag("item[][title]")) + assert_match VALID_HTML_ID, input_elem['id'] + end + def test_label_tag_without_text actual = label_tag "title" expected = %() @@ -208,11 +230,16 @@ class FormTagHelperTest < ActionView::TestCase assert_dom_equal expected, actual end + def test_label_tag_id_sanitized + label_elem = root_elem(label_tag("item[title]")) + assert_match VALID_HTML_ID, label_elem['for'] + end + def test_boolean_optios assert_dom_equal %(), check_box_tag("admin", 1, true, 'disabled' => true, :readonly => "yes") assert_dom_equal %(), check_box_tag("admin", 1, true, :disabled => false, :readonly => nil) assert_dom_equal %(), select_tag("people", "", :multiple => true) - assert_dom_equal %(), select_tag("people[]", "", :multiple => true) + assert_dom_equal %(), select_tag("people[]", "", :multiple => true) assert_dom_equal %(), select_tag("people", "", :multiple => nil) end @@ -283,4 +310,10 @@ class FormTagHelperTest < ActionView::TestCase def protect_against_forgery? false end + + private + + def root_elem(rendered_content) + HTML::Document.new(rendered_content).root.children[0] + end end -- 1.5.4.3