Merge pull request rails#47318 from seanpdoyle/token-list-escaping

guilleiguaran · web-flow · commit fad9050d80cb · 2023-02-08T11:11:47.000-08:00
`token_list`: Guard Stimulus' `data-action` from multiple escapes
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
@@ -1,3 +1,7 @@
+*   Guard `token_list` calls from escaping HTML too often
+
+    *Sean Doyle*
+
 *   `select` can now be called with a single hash containing options and some HTML options
 
     Previously this would not work as expected:
diff --git a/actionview/lib/action_view/helpers/tag_helper.rb b/actionview/lib/action_view/helpers/tag_helper.rb
@@ -363,7 +363,7 @@ def content_tag(name, content_or_options_with_block = nil, options = nil, escape
       #   token_list(nil, false, 123, "", "foo", { bar: true })
       #    # => "123 foo bar"
       def token_list(*args)
-        tokens = build_tag_values(*args).flat_map { |value| value.to_s.split(/\s+/) }.uniq
+        tokens = build_tag_values(*args).flat_map { |value| CGI.unescape_html(value.to_s).split(/\s+/) }.uniq
 
         safe_join(tokens, " ")
       end
diff --git a/actionview/test/template/tag_helper_test.rb b/actionview/test/template/tag_helper_test.rb
@@ -448,6 +448,29 @@ def test_token_list_and_class_names
     end
   end
 
+  def test_token_list_and_class_names_returns_an_html_safe_string
+    assert_predicate token_list("a value"), :html_safe?
+    assert_predicate class_names("a value"), :html_safe?
+  end
+
+  def test_token_list_and_class_names_only_html_escape_once
+    [:token_list, :class_names].each do |helper_method|
+      helper = ->(*arguments) { public_send(helper_method, *arguments) }
+
+      tokens = %w[
+        click->controller#action1
+        click->controller#action2
+        click->controller#action3
+        click->controller#action4
+      ]
+
+      token_list = tokens.reduce(&helper)
+
+      assert_predicate token_list, :html_safe?
+      assert_equal tokens, (CGI.unescape_html(token_list)).split
+    end
+  end
+
   def test_content_tag_with_data_attributes
     assert_dom_equal '<p data-number="1" data-string="hello" data-string-with-quotes="double&quot;quote&quot;party&quot;">limelight</p>',
       content_tag("p", "limelight", data: { number: 1, string: "hello", string_with_quotes: 'double"quote"party"' })
