Don't html-escape the :count option to translate if it's a Numeric. Fixes #3685.

This commit is contained in:
Jon Leighton 2011-11-19 13:19:20 +00:00
parent 86b5e81e8a
commit 603a679e87
3 changed files with 21 additions and 2 deletions

View File

@ -62,6 +62,13 @@
persistent between requests so if you need to manipulate the environment
for your test you need to do it before the cookie jar is created.
## Rails 3.1.3 (unreleased) ##
* Fix using `tranlate` helper with a html translation which uses the `:count` option for
pluralization.
*Jon Leighton*
## Rails 3.1.2 (unreleased) ##
* Fix XSS security vulnerability in the `translate` helper method. When using interpolation

View File

@ -48,8 +48,10 @@ module ActionView
if html_safe_translation_key?(key)
html_safe_options = options.dup
options.except(*I18n::RESERVED_KEYS).each do |name, value|
unless name == :count && value.is_a?(Numeric)
html_safe_options[name] = ERB::Util.html_escape(value.to_s)
end
end
translation = I18n.translate(scope_key_by_partial(key), html_safe_options)
translation.respond_to?(:html_safe) ? translation.html_safe : translation

View File

@ -19,7 +19,11 @@ class TranslationHelperTest < ActiveSupport::TestCase
:hello_html => '<a>Hello World</a>',
:interpolated_html => '<a>Hello %{word}</a>',
:array_html => %w(foo bar),
:array => %w(foo bar)
:array => %w(foo bar),
:count_html => {
:one => '<a>One %{count}</a>',
:other => '<a>Other %{count}</a>'
}
}
)
@view = ::ActionView::Base.new(ActionController::Base.view_paths, {})
@ -89,6 +93,12 @@ class TranslationHelperTest < ActiveSupport::TestCase
assert_equal '<a>Hello &lt;World&gt;</a>', translate(:'translations.interpolated_html', :word => stub(:to_s => "<World>"))
end
def test_translate_with_html_count
assert_equal '<a>One 1</a>', translate(:'translations.count_html', :count => 1)
assert_equal '<a>Other 2</a>', translate(:'translations.count_html', :count => 2)
assert_equal '<a>Other &lt;One&gt;</a>', translate(:'translations.count_html', :count => '<One>')
end
def test_translation_returning_an_array_ignores_html_suffix
assert_equal ["foo", "bar"], translate(:'translations.array_html')
end