From 1df7a3b9d5c2928616fe4e7d6f29898e3e69c8a3 Mon Sep 17 00:00:00 2001 From: Visita Date: Wed, 10 Apr 2013 12:19:01 -0300 Subject: [PATCH] Escaping title html in block_helper::block_title() --- app/helpers/block_helper.rb | 2 +- test/unit/block_helper_test.rb | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 test/unit/block_helper_test.rb diff --git a/app/helpers/block_helper.rb b/app/helpers/block_helper.rb index 8fbe47f..b416253 100644 --- a/app/helpers/block_helper.rb +++ b/app/helpers/block_helper.rb @@ -3,7 +3,7 @@ module BlockHelper def block_title(title) tag_class = 'block-title' tag_class += ' empty' if title.empty? - content_tag 'h3', content_tag('span', title), :class => tag_class + content_tag 'h3', content_tag('span', h(title)), :class => tag_class end end diff --git a/test/unit/block_helper_test.rb b/test/unit/block_helper_test.rb new file mode 100644 index 0000000..4dfb152 --- /dev/null +++ b/test/unit/block_helper_test.rb @@ -0,0 +1,13 @@ +require File.dirname(__FILE__) + '/../test_helper' + +class BlogHelperTest < ActiveSupport::TestCase + + include BlockHelper + include ActionView::Helpers::TagHelper + + should 'escape title html' do + assert_no_match //, block_title('test') + assert_match /<b>test<\/b>/, block_title('test') + end + +end -- libgit2 0.21.2