From 897774db6f056e9aa4bac9bf8bc70bab3fdc4793 Mon Sep 17 00:00:00 2001
From: Brian Morearty <github2@morearty.org>
Date: Sun, 13 Feb 2011 13:29:22 -0800
Subject: [PATCH] Remove 'escape' parameter/option from helper functions. [#6421 state:resolved]

Remove the 'escape' parameter/option from the following helpers:
  FormTagHelper#text_area
  TagHelper#content_tag
  TagHelper#tag

The parameter was deprecated in Rails 3.0.5.

Instead of using the escape parameter, callers should now call html_safe on any parameters they don't want escaped.
---
 .../asset_tag_helpers/stylesheet_tag_helpers.rb    |    2 +-
 .../lib/action_view/helpers/form_options_helper.rb |    2 +-
 .../lib/action_view/helpers/form_tag_helper.rb     |   12 +++----
 actionpack/lib/action_view/helpers/tag_helper.rb   |   39 +++++++++++---------
 actionpack/lib/action_view/helpers/text_helper.rb  |    7 +++-
 actionpack/test/template/erb/tag_helper_test.rb    |    4 ++
 actionpack/test/template/form_tag_helper_test.rb   |    6 ++--
 actionpack/test/template/tag_helper_test.rb        |   23 +++++++-----
 8 files changed, 53 insertions(+), 42 deletions(-)

diff --git a/actionpack/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb b/actionpack/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb
index f3e041d..c8335bd 100644
--- a/actionpack/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb
+++ b/actionpack/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb
@@ -19,7 +19,7 @@ module ActionView
         end
 
         def asset_tag(source, options)
-          tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => ERB::Util.html_escape(path_to_asset(source)) }.merge(options), false, false)
+          tag("link", { "rel" => "stylesheet", "type" => Mime::CSS, "media" => "screen", "href" => ERB::Util.html_escape(path_to_asset(source)) }.merge(options))
         end
 
         def custom_dir
diff --git a/actionpack/lib/action_view/helpers/form_options_helper.rb b/actionpack/lib/action_view/helpers/form_options_helper.rb
index 7698602..d30a38e 100644
--- a/actionpack/lib/action_view/helpers/form_options_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_options_helper.rb
@@ -447,7 +447,7 @@ module ActionView
       # wrap the output in an appropriate <tt><select></tt> tag.
       def grouped_options_for_select(grouped_options, selected_key = nil, prompt = nil)
         body = ''
-        body << content_tag(:option, prompt, { :value => "" }, true) if prompt
+        body << content_tag(:option, prompt, { :value => "" }) if prompt
 
         grouped_options = grouped_options.sort if grouped_options.is_a?(Hash)
 
diff --git a/actionpack/lib/action_view/helpers/form_tag_helper.rb b/actionpack/lib/action_view/helpers/form_tag_helper.rb
index 71f8534..02f9827 100644
--- a/actionpack/lib/action_view/helpers/form_tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -266,13 +266,14 @@ module ActionView
 
       # Creates a text input area; use a textarea for longer text inputs such as blog posts or descriptions.
       #
+      # By default, the contents of the text input are HTML escaped.  If you need unescaped contents,
+      # call html_safe on the content parameter.
+      #
       # ==== Options
       # * <tt>:size</tt> - A string specifying the dimensions (columns by rows) of the textarea (e.g., "25x10").
       # * <tt>:rows</tt> - Specify the number of rows in the textarea
       # * <tt>:cols</tt> - Specify the number of columns in the textarea
       # * <tt>:disabled</tt> - If set to true, the user will not be able to use this input.
-      # * <tt>:escape</tt> - By default, the contents of the text input are HTML escaped.
-      #   If you need unescaped contents, set this to false.
       # * Any other key creates standard HTML attributes for the tag.
       #
       # ==== Examples
@@ -300,10 +301,7 @@ module ActionView
           options["cols"], options["rows"] = size.split("x") if size.respond_to?(:split)
         end
 
-        escape = options.key?("escape") ? options.delete("escape") : true
-        content = ERB::Util.html_escape(content) if escape
-
-        content_tag :textarea, content.to_s.html_safe, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
+        content_tag :textarea, content.to_s, { "name" => name, "id" => sanitize_to_id(name) }.update(options)
       end
 
       # Creates a check box form input tag.
@@ -592,7 +590,7 @@ module ActionView
           options.stringify_keys.tap do |html_options|
             html_options["enctype"] = "multipart/form-data" if html_options.delete("multipart")
             # The following URL is unescaped, this is just a hash of options, and it is the
-            # responsability of the caller to escape all the values.
+            # responsibility of the caller to escape all the values.
             html_options["action"]  = url_for(url_for_options, *parameters_for_url)
             html_options["accept-charset"] = "UTF-8"
             html_options["data-remote"] = true if html_options.delete("remote")
diff --git a/actionpack/lib/action_view/helpers/tag_helper.rb b/actionpack/lib/action_view/helpers/tag_helper.rb
index 786af5c..19305df 100644
--- a/actionpack/lib/action_view/helpers/tag_helper.rb
+++ b/actionpack/lib/action_view/helpers/tag_helper.rb
@@ -20,8 +20,8 @@ module ActionView
       # Returns an empty HTML tag of type +name+ which by default is XHTML
       # compliant. Set +open+ to true to create an open tag compatible
       # with HTML 4.0 and below. Add HTML attributes by passing an attributes
-      # hash to +options+. Set +escape+ to false to disable attribute value
-      # escaping.
+      # hash to +options+. Call html_safe on the attribute values to prevent
+      # them from being escaped.
       #
       # ==== Options
       # You can use symbols or strings for the attribute names.
@@ -53,20 +53,20 @@ module ActionView
       #   tag("img", :src => "open & shut.png")
       #   # => <img src="open &amp; shut.png" />
       #
-      #   tag("img", {:src => "open &amp; shut.png"}, false, false)
+      #   tag("img", {:src => "open &amp; shut.png".html_safe})
       #   # => <img src="open &amp; shut.png" />
       #
       #   tag("div", :data => {:name => 'Stephen', :city_state => %w(Chicago IL)})
       #   # => <div data-name="Stephen" data-city-state="[&quot;Chicago&quot;,&quot;IL&quot;]" />
-      def tag(name, options = nil, open = false, escape = true)
-        "<#{name}#{tag_options(options, escape) if options}#{open ? ">" : " />"}".html_safe
+      def tag(name, options = nil, open = false)
+        "<#{name}#{tag_options(options) if options}#{open ? ">" : " />"}".html_safe
       end
 
       # Returns an HTML block tag of type +name+ surrounding the +content+. Add
       # HTML attributes by passing an attributes hash to +options+.
       # Instead of passing the content as an argument, you can also use a block
       # in which case, you pass your +options+ as the second parameter.
-      # Set escape to false to disable attribute value escaping.
+      # Call html_safe on the content and the attribute values to disable HTML escaping.
       #
       # ==== Options
       # The +options+ hash is used with attributes with no value like (<tt>disabled</tt> and
@@ -78,19 +78,23 @@ module ActionView
       #    # => <p>Hello world!</p>
       #   content_tag(:div, content_tag(:p, "Hello world!"), :class => "strong")
       #    # => <div class="strong"><p>Hello world!</p></div>
+      #   content_tag(:p, "<b>Hello</b> world!".html_safe)
+      #    # => <p><b>Hello</b> world!</p>
       #   content_tag("select", options, :multiple => true)
       #    # => <select multiple="multiple">...options...</select>
+      #   content_tag("p", "Hello world!", {:class => ["song", "play>".html_safe]})
+      #    # => <p class="song play>">Hello world!</p>
       #
       #   <%= content_tag :div, :class => "strong" do -%>
-      #     Hello world!
+      #     <b>Hello</b> world!
       #   <% end -%>
-      #    # => <div class="strong">Hello world!</div>
-      def content_tag(name, content_or_options_with_block = nil, options = nil, escape = true, &block)
+      #    # => <div class="strong"><b>Hello</b> world!</div>
+      def content_tag(name, content_or_options_with_block = nil, options = nil, &block)
         if block_given?
           options = content_or_options_with_block if content_or_options_with_block.is_a?(Hash)
-          content_tag_string(name, capture(&block), options, escape)
+          content_tag_string(name, capture(&block), options)
         else
-          content_tag_string(name, content_or_options_with_block, options, escape)
+          content_tag_string(name, content_or_options_with_block, options)
         end
       end
 
@@ -123,12 +127,12 @@ module ActionView
 
       private
 
-        def content_tag_string(name, content, options, escape = true)
-          tag_options = tag_options(options, escape) if options
-          "<#{name}#{tag_options}>#{escape ? ERB::Util.h(content) : content}</#{name}>".html_safe
+        def content_tag_string(name, content, options)
+          tag_options = tag_options(options) if options
+          "<#{name}#{tag_options}>#{ERB::Util.h(content)}</#{name}>".html_safe
         end
 
-        def tag_options(options, escape = true)
+        def tag_options(options)
           unless options.blank?
             attrs = []
             options.each_pair do |key, value|
@@ -137,14 +141,13 @@ module ActionView
                   if !v.is_a?(String) && !v.is_a?(Symbol)
                     v = v.to_json
                   end
-                  v = ERB::Util.html_escape(v) if escape
+                  v = ERB::Util.html_escape(v)
                   attrs << %(data-#{k.to_s.dasherize}="#{v}")
                 end
               elsif BOOLEAN_ATTRIBUTES.include?(key)
                 attrs << %(#{key}="#{key}") if value
               elsif !value.nil?
-                final_value = value.is_a?(Array) ? value.join(" ") : value
-                final_value = ERB::Util.html_escape(final_value) if escape
+                final_value = value.is_a?(Array) ? value.map{|v|ERB::Util.html_escape(v)}.join(" ") : ERB::Util.html_escape(value)
                 attrs << %(#{key}="#{final_value}")
               end
             end
diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index 4f7f5c4..3b20e8d 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -494,11 +494,14 @@ module ActionView
               link_text = block_given?? yield(href) : href
               href = 'http://' + href unless scheme
 
-              unless options[:sanitize] == false
+              if options.fetch(:sanitize, true)
                 link_text = sanitize(link_text)
                 href      = sanitize(href)
+              else
+                link_text = link_text.html_safe
+                href      = href.html_safe
               end
-              content_tag(:a, link_text, link_attributes.merge('href' => href), !!options[:sanitize]) + punctuation.reverse.join('')
+              content_tag(:a, link_text, link_attributes.merge('href' => href)) + punctuation.reverse.join('')
             end
           end.html_safe
         end
diff --git a/actionpack/test/template/erb/tag_helper_test.rb b/actionpack/test/template/erb/tag_helper_test.rb
index a384e94..d2c28eb 100644
--- a/actionpack/test/template/erb/tag_helper_test.rb
+++ b/actionpack/test/template/erb/tag_helper_test.rb
@@ -10,6 +10,10 @@ module ERBTest
       assert_equal "<div>Hello world</div>", render_content("content_tag :div", "Hello world")
     end
 
+    test "percent equals works for content_tag and does not escape_content" do
+      assert_equal "<div><b>Hello</b> world</div>", render_content("content_tag :div", "<b>Hello</b> world")
+    end
+
     test "percent equals works for javascript_tag" do
       expected_output = "<script type=\"text/javascript\">\n//<![CDATA[\nalert('Hello')\n//]]>\n</script>"
       assert_equal expected_output, render_content("javascript_tag", "alert('Hello')")
diff --git a/actionpack/test/template/form_tag_helper_test.rb b/actionpack/test/template/form_tag_helper_test.rb
index f8671f2..58e2f0f 100644
--- a/actionpack/test/template/form_tag_helper_test.rb
+++ b/actionpack/test/template/form_tag_helper_test.rb
@@ -234,14 +234,14 @@ class FormTagHelperTest < ActionView::TestCase
     assert_dom_equal expected, actual
   end
 
-  def test_text_area_tag_unescaped_content
-    actual = text_area_tag "body", "<b>hello world</b>", :size => "20x40", :escape => false
+  def test_text_area_tag_dont_escape_safe_content
+    actual = text_area_tag "body", "<b>hello world</b>".html_safe, :size => "20x40"
     expected = %(<textarea cols="20" id="body" name="body" rows="40"><b>hello world</b></textarea>)
     assert_dom_equal expected, actual
   end
 
   def test_text_area_tag_unescaped_nil_content
-    actual = text_area_tag "body", nil, :escape => false
+    actual = text_area_tag "body", nil
     expected = %(<textarea id="body" name="body"></textarea>)
     assert_dom_equal expected, actual
   end
diff --git a/actionpack/test/template/tag_helper_test.rb b/actionpack/test/template/tag_helper_test.rb
index 60b466a..1f839ad 100644
--- a/actionpack/test/template/tag_helper_test.rb
+++ b/actionpack/test/template/tag_helper_test.rb
@@ -40,26 +40,29 @@ class TagHelperTest < ActionView::TestCase
     assert_equal "<p>&lt;script&gt;evil_js&lt;/script&gt;</p>",
                  content_tag(:p, '<script>evil_js</script>')
     assert_equal "<p><script>evil_js</script></p>",
-                 content_tag(:p, '<script>evil_js</script>', nil, false)
+                 content_tag(:p, '<script>evil_js</script>'.html_safe)
   end
 
   def test_content_tag_with_block_in_erb
-    buffer = content_tag(:div) { concat "Hello world!" }
-    assert_dom_equal "<div>Hello world!</div>", buffer
+    buffer = content_tag(:div) { concat "<b>Hello</b> world!".html_safe }
+    assert_dom_equal "<div><b>Hello</b> world!</div>", buffer
   end
 
   def test_content_tag_with_block_and_options_in_erb
-    buffer = content_tag(:div, :class => "green") { concat "Hello world!" }
-    assert_dom_equal %(<div class="green">Hello world!</div>), buffer
+    buffer = content_tag(:div, :class => "green") { concat "<b>Hello</b> world!".html_safe }
+    assert_dom_equal %(<div class="green"><b>Hello</b> world!</div>), buffer
   end
 
   def test_content_tag_with_block_and_options_out_of_erb
-    assert_dom_equal %(<div class="green">Hello world!</div>), content_tag(:div, :class => "green") { "Hello world!" }
+    assert_dom_equal %(<div class="green">&lt;b&gt;Hello&lt;/b&gt; world!</div>), content_tag(:div, :class => "green") { "<b>Hello</b> world!" }
+    assert_dom_equal %(<div class="green"><b>Hello</b> world!</div>), content_tag(:div, :class => "green") { "<b>Hello</b> world!".html_safe }
   end
 
   def test_content_tag_with_block_and_options_outside_out_of_erb
-    assert_equal content_tag("a", "Create", :href => "create"),
-                 content_tag("a", "href" => "create") { "Create" }
+    assert_equal content_tag("a", "<b>Create</b>", :href => "create"),
+                 content_tag("a", "href" => "create") { "<b>Create</b>" }
+    assert_equal content_tag("a", "<b>Create</b>".html_safe, :href => "create"),
+                 content_tag("a", "href" => "create") { "<b>Create</b>".html_safe }
   end
 
   def test_content_tag_nested_in_content_tag_out_of_erb
@@ -83,7 +86,7 @@ class TagHelperTest < ActionView::TestCase
   end
 
   def test_content_tag_with_unescaped_array_class
-    str = content_tag('p', "limelight", {:class => ["song", "play>"]}, false)
+    str = content_tag('p', "limelight", {:class => ["song", "play>".html_safe]})
     assert_equal "<p class=\"song play>\">limelight</p>", str
   end
 
@@ -108,7 +111,7 @@ class TagHelperTest < ActionView::TestCase
   end
 
   def test_disable_escaping
-    assert_equal '<a href="&amp;" />', tag('a', { :href => '&amp;' }, false, false)
+    assert_equal '<a href="&amp;" />', tag('a', { :href => '&amp;'.html_safe })
   end
 
   def test_data_attributes
-- 
1.6.2.2