From cd2d4a40e82fe6466bfe24cf1be9b74934c3a523 Mon Sep 17 00:00:00 2001
From: Chris Mear <chris@feedmechocolate.com>
Date: Thu, 19 Feb 2009 14:16:10 +0000
Subject: [PATCH] Make text_area_tag escape contents by default.

---
 .../lib/action_view/helpers/form_tag_helper.rb     |    7 ++++++-
 actionpack/test/template/form_tag_helper_test.rb   |   16 ++++++++++++++--
 2 files changed, 20 insertions(+), 3 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 8ab78e7..1ccff88 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -231,6 +231,8 @@ module ActionView
       # * <tt>:rows</tt> - Specify the number of rows in the textarea
       # * <tt>:cols</tt> - Specify the number of columns in the textarea
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
+      # * <tt>:escape</tt> - By default, the contents of the text input are HTML escaped.
+      #   If you need unescaped contents, set this to false.                           
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
@@ -257,7 +259,10 @@ module ActionView
         if size = options.delete("size")
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
         end
-
+        
+        escape = options.key?("escape") ? options.delete("escape") : true
+        content = html_escape(content) if escape
+        
         content_tag :textarea, content, { "name" => name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
       end
 
diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index 09d199b..656e06b 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -158,13 +158,25 @@ class FormTagHelperTest < ActionView::TestCase
     input_elem = root_elem(text_area_tag("item[][description]"))
     assert_match VALID_HTML_ID, input_elem['id']
   end
-
+  
+  def test_text_area_tag_escape_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40"
+    expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;b&gt;hello world&lt;/b&gt;</textarea>)
+    assert_dom_equal expected, actual
+  end
+  
+  def test_text_area_tag_unescaped_content
+    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
+    expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
+    assert_dom_equal expected, actual
+  end
+  
   def test_text_field_tag
     actual = text_field_tag "title", "Hello!"
     expected = %(<input id="title" name="title" type="text" value="Hello!" />)
     assert_dom_equal expected, actual
   end
-
+  
   def test_text_field_tag_class_string
     actual = text_field_tag "title", "Hello!", "class" => "admin"
     expected = %(<input class="admin" id="title" name="title" type="text" value="Hello!" />)
-- 
1.6.3.3