From a2d9f46116a9166c1896ff2a1941b9d2b82b4a07 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Inge=20J=C3=B8rgensen?= <inge@manualdesign.no>
Date: Mon, 15 Dec 2008 14:41:30 +0100
Subject: [PATCH] Made error_messages_for HTML escape it's error messages

---
 .../action_view/helpers/active_record_helper.rb    |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb
index 8b56d24..bb2d900 100644
--- a/actionpack/lib/action_view/helpers/active_record_helper.rb
+++ b/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -198,7 +198,7 @@ module ActionView
               locale.t :header, :count => count, :model => object_name
             end
             message = options.include?(:message) ? options[:message] : locale.t(:body)
-            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, msg) } }.join
+            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, ERB::Util.html_escape(msg)) } }.join
 
             contents = ''
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?
-- 
1.6.0.4


From 73fc556dc913bee552fea78a84e0dbb4b10bc518 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Inge=20J=C3=B8rgensen?= <inge@manualdesign.no>
Date: Mon, 15 Dec 2008 17:31:39 +0100
Subject: [PATCH] Added test

---
 .../test/template/active_record_helper_test.rb     |   11 +++++++++++
 1 files changed, 11 insertions(+), 0 deletions(-)

diff --git a/actionpack/test/template/active_record_helper_test.rb b/actionpack/test/template/active_record_helper_test.rb
index e46f95d..b233170 100644
--- a/actionpack/test/template/active_record_helper_test.rb
+++ b/actionpack/test/template/active_record_helper_test.rb
@@ -195,6 +195,17 @@ class ActiveRecordHelperTest < ActionView::TestCase
     assert_equal %(<div class="errorDeathByClass"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post", :class => "errorDeathByClass", :id => nil, :header_tag => "h1")
   end
 
+  def test_error_messages_for_escapes_html
+    def @post.errors
+      Class.new {
+        def empty?() false end
+        def count() 1 end
+        def full_messages() [ "Author name can't be <em>empty</em>" ] end
+      }.new
+    end
+    assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be &lt;em&gt;empty&lt;/em&gt;</li></ul></div>), error_messages_for("post")
+  end
+
   def test_error_messages_for_handles_nil
     assert_equal "", error_messages_for("notthere")
   end
-- 
1.6.0.4