From 3e92dd40719c7e5d7343c5997f9dfcb7531daa55 Mon Sep 17 00:00:00 2001
From: Jeff Kreeftmeijer <jeff@kreeftmeijer.nl>
Date: Mon, 11 Oct 2010 20:39:12 +0200
Subject: [PATCH] Make sure capture's output gets html_escaped [#5545 state:resolved]

Also remove a duplicate test_link_to_unless assertion and add .html_safe to the
remaining one.
---
 .../lib/action_view/helpers/capture_helper.rb      |    3 ++-
 actionpack/test/template/capture_helper_test.rb    |    5 +++++
 actionpack/test/template/url_helper_test.rb        |    7 +------
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/capture_helper.rb b/actionpack/lib/action_view/helpers/capture_helper.rb
index 0401e6a..2c805c8 100644
--- a/actionpack/lib/action_view/helpers/capture_helper.rb
+++ b/actionpack/lib/action_view/helpers/capture_helper.rb
@@ -1,4 +1,5 @@
 require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/string/output_safety'
 
 module ActionView
   # = Action View Capture Helper
@@ -38,7 +39,7 @@ module ActionView
         value = nil
         buffer = with_output_buffer { value = yield(*args) }
         if string = buffer.presence || value and string.is_a?(String)
-          string
+          html_escape string
         end
       end
 
diff --git a/actionpack/test/template/capture_helper_test.rb b/actionpack/test/template/capture_helper_test.rb
index 8f81076..25da17b 100644
--- a/actionpack/test/template/capture_helper_test.rb
+++ b/actionpack/test/template/capture_helper_test.rb
@@ -28,6 +28,11 @@ class CaptureHelperTest < ActionView::TestCase
     assert_nil @av.capture { 1 }
   end
 
+  def test_capture_escapes_html
+    string = @av.capture { '<strong>foo</strong><em>bar</em>' }
+    assert_equal '&lt;strong&gt;foo&lt;/strong&gt;&lt;em&gt;bar&lt;/em&gt;', string
+  end
+
   def test_content_for
     assert ! content_for?(:title)
     content_for :title, 'title'
diff --git a/actionpack/test/template/url_helper_test.rb b/actionpack/test/template/url_helper_test.rb
index a6fdf80..0a08958 100644
--- a/actionpack/test/template/url_helper_test.rb
+++ b/actionpack/test/template/url_helper_test.rb
@@ -263,12 +263,7 @@ class UrlHelperTest < ActiveSupport::TestCase
 
     assert_equal "<strong>Showing</strong>",
       link_to_unless(true, "Showing", url_hash) { |name|
-        "<strong>#{name}</strong>"
-      }
-
-    assert_equal "<strong>Showing</strong>",
-      link_to_unless(true, "Showing", url_hash) { |name|
-        "<strong>#{name}</strong>"
+        "<strong>#{name}</strong>".html_safe
       }
 
     assert_equal "test",
-- 
1.7.2