The change that Santiago mentioned (
https://github.com/rails/rails/
commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes
content_tag always to escape its output, even when the 'escape'
parameter is set to false. However, from my experiments it seems the
'escape' parameter wasn't working before the change either. Instead of
always escaping the output, content_tag was never escaping the output.
In a 3.0.1 Rails project the output is never escaped but html_safe?
always returns true:
rails console
Loading development environment (Rails 3.0.1)
ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>'
end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>'
end).html_safe?
=> true
ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end).html_safe?
=> true
ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end).html_safe?
=> true
In a Rails 3.0.2 project the content is always escaped and html_safe?
always returns true:
rails console
Loading development environment (Rails 3.0.2)
ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>' end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>'
end).html_safe?
=> true
ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end).html_safe?
=> true
ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end
=> "<div><b>hello</b></div>"
ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end).html_safe?
=> true
So at least in Rails 3.0.2 the html_safe? function is reporting the
truth. But content_tag escapes the output even when escape=false (see
the last two lines).
I would submit a patch but I'm not sure what the right fix is.
Brian Morearty
On Feb 10, 5:36 am, Joaquin Rivera Padron <
joahk...@gmail.com> wrote:
> you are totally right, I was missing a html_safe :-)
>
> this is wrong as now:
>
> content_for :js do
> <<JS
> <script type="text/javascript">
> alert('hello');
> </script>
> JS
> end
>
> this is ok:
>
> js = <<JS
> <script type="text/javascript">
> alert('hello');
> </script>
> JS
>
> content_for :js do
> js.html_safe
> end
>
> thanks a lot
> jk
>
> 2011/2/10 Joaquin Rivera Padron <
joahk...@gmail.com>
>
>
>
> > I'll check, thanks for the reply
>
> > jk
>
> > 2011/2/10 Santiago Pastorino <
santi...@wyeworks.com>
>
> >> This commit
> >>
https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb...
> >> just changes from html_escape string to ERB::Util.html_escape(string)
> >> so both are calling the same method.
>
> >> You're talking about this one
>
> >>
https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d...
> >> and this fix a security issue. I'd say that you're missing a html_safe
> >> some where.
>
> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron
> >> <
joahk...@gmail.com> wrote:
>
> >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf
> >> > Author: Santiago Pastorino <
santi...@wyeworks.com>
> >> > Date: Tue Nov 2 20:18:22 2010 -0200
> >> > Call as ERB::Util.html_escape since is not the module is not
> >> included
> >> > here
>
> >> > 2011/2/10 Joaquin Rivera Padron <
joahk...@gmail.com>
>
> >> >> hi,
> >> >> I diff-ed 3.0.0 with 3.0.1 and I got this
> >> >> diff --git
> >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
> >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
> >> >> index 142cd08..fb2118a 100644
> >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
> >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
> >> >> @@ -17,7 +17,7 @@ module ActionDispatch
> >> >> #
> >> >> ...skipping...
> >> >> buffer = with_output_buffer { value = yield(*args) }
> >> >> if string = buffer.presence || value and string.is_a?(String)
> >> >> - NonConcattingString.new(string)
> >> >> + NonConcattingString.new(ERB::Util.html_escape(string))
> >> >> end
> >> >> end
> >> >> if I put bac k the NonConcattingString.new(string) it works (at least
> >> for
> >> >> me)
> >> >> don't know the implications though, wdyt?
> >> >> jk
> >> >> 2011/2/10 Joaquin Rivera Padron <
joahk...@gmail.com>
>
> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works
> >> >>> thanks for the "ping offer", I'll let you know if anything, but I
> >> won't
> >> >>> (can't) be full time chasing the bug :-(
> >> >>> jk
>
> >> >>> 2011/2/10 Santiago Pastorino <
santi...@wyeworks.com>
>
> >> >>>> Great, ping me if I can help you.
> >> >>>> BTW did you tried 3-0-stable?
>
> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron
> >> >>>> <
joahk...@gmail.com> wrote:
> >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2
> >> >>>> > ok is 3.0.1, will keep digging then
> >> >>>> > jk
>
> >> >>>> > 2011/2/9 Brian Morearty <
bmorea...@gmail.com>