Rails core - Sep 2012 - TagHelper#tag allows attribute values to overflow outside of the attribute

When generating an HTML tag via TagHelper#tag (or any of the higher-level 
tag/form helpers that use it), it is possible to provide an attribute value 
that can impact the tag beyond the specified attribute.

An explicit, though contrived, example should illustrate the issue. From 
Rails console run:

    trusted=''good" readonly="readonly''.html_safe;
print helper.tag(:input,
:value => trusted)

    # => <input value="good" readonly="readonly" />
=> nil

I provided a single attribute in the options hash, and yet generated 2 
attributes in the output. Regardless of the fact that the calling code 
provides the attribute value in a SafeBuffer, I can think of no scenario 
worth supporting where you would want this behavior. The
"html_safe"-ness
of the value should not allow you to overflow outside of the attribute you 
are specifying.

I can describe a real-world scenario (of SafeBuffers containing unescaped 
quotes), but I did not want the conversation to get sidetracked into 
suggested alternative approaches. The core issue is whether an attribute 
value should ever be able to impact the rest of the HTML tag.

I''ve submitted a pull request that resolves the issue 
(https://github.com/rails/rails/pull/7611), but I am curious to hear if 
there are valid reasons to support the existing behavior.

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-core/-/C0IJN9nuNdIJ.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.