From 8720f97edae8a522b7634445737543409630efce Mon Sep 17 00:00:00 2001 From: Dan Barry Date: Mon, 5 Jan 2009 13:51:00 -0600 Subject: [PATCH] make error_message_on HTML escape its error messages --- .../action_view/helpers/active_record_helper.rb | 2 +- .../test/template/active_record_helper_test.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletions(-) diff --git a/actionpack/lib/action_view/helpers/active_record_helper.rb b/actionpack/lib/action_view/helpers/active_record_helper.rb index 8b56d24..165940e 100644 --- a/actionpack/lib/action_view/helpers/active_record_helper.rb +++ b/actionpack/lib/action_view/helpers/active_record_helper.rb @@ -121,7 +121,7 @@ module ActionView if (obj = (object.respond_to?(:errors) ? object : instance_variable_get("@#{object}"))) && (errors = obj.errors.on(method)) content_tag("div", - "#{options[:prepend_text]}#{errors.is_a?(Array) ? errors.first : errors}#{options[:append_text]}", + "#{options[:prepend_text]}#{ERB::Util.html_escape(errors.is_a?(Array) ? errors.first : errors)}#{options[:append_text]}", :class => options[:css_class] ) else diff --git a/actionpack/test/template/active_record_helper_test.rb b/actionpack/test/template/active_record_helper_test.rb index e46f95d..4b79e3c 100644 --- a/actionpack/test/template/active_record_helper_test.rb +++ b/actionpack/test/template/active_record_helper_test.rb @@ -199,6 +199,15 @@ class ActiveRecordHelperTest < ActionView::TestCase assert_equal "", error_messages_for("notthere") end + def test_error_message_on_escapes_html + def @post.errors + Class.new { + def on(field) "can't be empty" end + }.new + end + assert_dom_equal "
can't be <em>empty</em>
", error_message_on(:post, :author_name) + end + def test_error_message_on_handles_nil assert_equal "", error_message_on("notthere", "notthere") end -- 1.5.4.2