From 0d11d8c22d1f095342710a000dd05eff2979e07c Mon Sep 17 00:00:00 2001
From: Stephen Judkins <stephen@aboutus.org>
Date: Fri, 21 Aug 2009 12:11:39 -0700
Subject: [PATCH] Fixed undesirable property of TagHelper, where HTML literals are not escaped.

Using basic form tags in a 'railsy' way, we were able to force changes to occur when a user makes no changes, if there is text stored with HTML entities included.

See https://rails.lighthouseapp.com/projects/8995-rails-plugins/tickets/66-html-literals-passed-into-tag-helpers-dont-escape
---
 actionpack/lib/action_view/helpers/tag_helper.rb |    2 +-
 actionpack/test/template/tag_helper_test.rb      |   17 ++++++-----------
 2 files changed, 7 insertions(+), 12 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index af8c4d5..3de765f 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -136,7 +136,7 @@ module ActionView
                 if BOOLEAN_ATTRIBUTES.include?(key)
                   attrs << %(#{key}="#{key}") if value
                 else
-                  attrs << %(#{key}="#{escape_once(value)}") if !value.nil?
+                  attrs << %(#{key}="#{ERB::Util.h(value)}") if !value.nil?
                 end
               end
             else
diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb
index ef88cae..f336f61 100644
--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -74,17 +74,7 @@ class TagHelperTest < ActionView::TestCase
   def test_cdata_section
     assert_equal "<![CDATA[<hello world>]]>", cdata_section("<hello world>")
   end
-  
-  def test_escape_once
-    assert_equal '1 &lt; 2 &amp; 3', escape_once('1 < 2 &amp; 3')
-  end
-  
-  def test_double_escaping_attributes
-    ['1&amp;2', '1 &lt; 2', '&#8220;test&#8220;'].each do |escaped|
-      assert_equal %(<a href="#{escaped}" />), tag('a', :href => escaped)
-    end
-  end
-  
+
   def test_skip_invalid_escaped_attributes
     ['&1;', '&#1dfa3;', '& #123;'].each do |escaped|
       assert_equal %(<a href="#{escaped.gsub /&/, '&amp;'}" />), tag('a', :href => escaped)
@@ -94,4 +84,9 @@ class TagHelperTest < ActionView::TestCase
   def test_disable_escaping
     assert_equal '<a href="&amp;" />', tag('a', { :href => '&amp;' }, false, false)
   end
+
+  def test_escape_html_literals
+    assert_equal "<input id=\"name\" name=\"name\" type=\"checkbox\" value=\"&amp;amp;\" />", check_box_tag("name", "&amp;")
+    assert_not_equal check_box_tag("name", "&amp;"), check_box_tag("name", "&")
+  end
 end
-- 
1.6.3.3