Just trying to implement a simple helper over the past few days had me really confused. messages = '''' messages << content_tag(:p, ''dave'') #=> <p>dave<\p%;gt; Eventually I realised the original empty string was not html_safe message = ''''.html_safe message << content_tag(:p, ''dave'') #=> <p>dave</p> Is this intentional behavour? -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Mon, May 17, 2010 at 21:07, RobL <pgdstryr@googlemail.com> wrote:> > Eventually I realised the original empty string was not html_safeI see how you got confused, but this is intentional. All strings are originally not html_safe since there''s no way of telling if they came from the author or user input. I don''t agree that Rails should special-case this behavior (blank strings not html_safe) since I don''t really think the way you''re building content here should be encouraged. Depending on your helper as whole, there must be better ways. Also, what about if you''re appending user input instead of just content tags: query = "" query << params[:query] query << content_tag(...) If blank strings were safe to begin with, and users grew accustomed to the fact, doing this would suddenly be exposing yourself to XSS via GET/POST params. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Remember you can use raw for output unsafe strings without being escaped On Mon, May 17, 2010 at 4:07 PM, RobL <pgdstryr@googlemail.com> wrote:> Just trying to implement a simple helper over the past few days had me > really confused. > > messages = '''' > messages << content_tag(:p, ''dave'') > #=> <p>dave<\p%;gt; > > Eventually I realised the original empty string was not html_safe > > message = ''''.html_safe > message << content_tag(:p, ''dave'') > #=> <p>dave</p> > > Is this intentional behavour? > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
From your example query = "".html_safe query << params[:query] # This WOULD be escaped. The << operator is overwritten to recognize whether what is being appended is html_safe and escape it if it isn''t to maintain an html_safe string query << content_tag(...) query # Is still html_safe On Mon, May 17, 2010 at 3:43 PM, Mislav Marohnić <mislav.marohnic@gmail.com>wrote:> On Mon, May 17, 2010 at 21:07, RobL <pgdstryr@googlemail.com> wrote: > >> >> Eventually I realised the original empty string was not html_safe > > > I see how you got confused, but this is intentional. All strings are > originally not html_safe since there''s no way of telling if they came from > the author or user input. I don''t agree that Rails should special-case this > behavior (blank strings not html_safe) since I don''t really think the way > you''re building content here should be encouraged. Depending on your helper > as whole, there must be better ways. > > Also, what about if you''re appending user input instead of just content > tags: > > query = "" > query << params[:query] > query << content_tag(...) > > If blank strings were safe to begin with, and users grew accustomed to the > fact, doing this would suddenly be exposing yourself to XSS via GET/POST > params. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com<rubyonrails-core%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Mon, May 17, 2010 at 23:54, David Genord II <albus522@gmail.com> wrote:> From your example > query = "".html_safe > query << params[:query] # This WOULD be escaped. The << operator is > overwritten to recognize whether what is being appended is html_safe and > escape it if it isn''t to maintain an html_safe string >Ah, then my example was totally mistaken. Thank you. However, I still stand behind consistency, and not special-casing a practice that I don''t find optimal for widespread use. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Mislav''s example was "" without .html_safe.
There''s really no obvious way to make "" become html_safe
without modifying
Ruby. What about:
x = ""
y = "#{x}#{safe_string}"
And even in the case of:
x = ""
x << safe_string
We''d have to override every single << in the system (a serious
performance
problem) to achieve this.
In the end, the rule is simple and consistent. Direct instances of String
are always not html_safe. This means that concatenating safe Strings onto a
String results in an unsafe String.
Yehuda Katz
Architect | Engine Yard
(ph) 718.877.1325
On Tue, May 18, 2010 at 2:03 AM, Mislav Marohnić
<mislav.marohnic@gmail.com>wrote:
> On Mon, May 17, 2010 at 23:54, David Genord II <albus522@gmail.com>
wrote:
>
>> From your example
>> query = "".html_safe
>> query << params[:query] # This WOULD be escaped. The <<
operator is
>> overwritten to recognize whether what is being appended is html_safe
and
>> escape it if it isn''t to maintain an html_safe string
>>
>
> Ah, then my example was totally mistaken. Thank you. However, I still stand
> behind consistency, and not special-casing a practice that I don''t
find
> optimal for widespread use.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Core" group.
> To post to this group, send email to rubyonrails-core@googlegroups.com.
> To unsubscribe from this group, send email to
>
rubyonrails-core+unsubscribe@googlegroups.com<rubyonrails-core%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-core?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
Thanks for the clarification guys. RobL On 17 May 2010 23:19, Yehuda Katz <wycats@gmail.com> wrote:> Mislav''s example was "" without .html_safe. > There''s really no obvious way to make "" become html_safe without modifying > Ruby. What about: > x = "" > y = "#{x}#{safe_string}" > And even in the case of: > x = "" > x << safe_string > We''d have to override every single << in the system (a serious performance > problem) to achieve this. > In the end, the rule is simple and consistent. Direct instances of String > are always not html_safe. This means that concatenating safe Strings onto a > String results in an unsafe String. > Yehuda Katz > Architect | Engine Yard > (ph) 718.877.1325 > > > On Tue, May 18, 2010 at 2:03 AM, Mislav Marohnić <mislav.marohnic@gmail.com> > wrote: >> >> On Mon, May 17, 2010 at 23:54, David Genord II <albus522@gmail.com> wrote: >>> >>> From your example >>> query = "".html_safe >>> query << params[:query] # This WOULD be escaped. The << operator is >>> overwritten to recognize whether what is being appended is html_safe and >>> escape it if it isn''t to maintain an html_safe string >> >> Ah, then my example was totally mistaken. Thank you. However, I still >> stand behind consistency, and not special-casing a practice that I don''t >> find optimal for widespread use. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- Rob Lacey contact@robl.me http://www.robl.me -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.