Hi there,
if I use the form_tag helper every html command within that helper
block gets escaped and is not been recognized by the browser as a tag.
Is that a bug or a feature? On irc nobody had a answer.
Example:
<% form_tag do %>
<div></div>
<% end %>
i tried this with rails 2.3.7 and 2.3.8. Everytime the same problem.
On rails 2.3.5 everthing works fine.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
This was a bug in 2.3.7 and is not supposed to be the case in 2.3.8. Please ensure your application really is using 2.3.8. On 30 May 2010 08:33, chrispie <chrispietsch1@googlemail.com> wrote:> Hi there, > > if I use the form_tag helper every html command within that helper > block gets escaped and is not been recognized by the browser as a tag. > > Is that a bug or a feature? On irc nobody had a answer. > > > Example: > > <% form_tag do %> > > <div></div> > > <% end %> > > i tried this with rails 2.3.7 and 2.3.8. Everytime the same problem. > > On rails 2.3.5 everthing works fine. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com<rubyonrails-core%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > >-- Ryan Bigg / Radar -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
On Mon, May 31, 2010 at 5:08 PM, Ryan Bigg <radarlistener@gmail.com> wrote:> This was a bug in 2.3.7 and is not supposed to be the case in 2.3.8. Please > ensure your application really is using 2.3.8.I''m still seeing problems with the 2.3.8 gems, in particular if the output from a Rails helper is concatenated with a fixed string: def test1 "test1<br>test1<br>" end def test2 link_to_function("test2", "alert(''test2'')") + "<br>test2<br>" end Then if a view has: <%= test1 %> <%= test2 %> With 2.3.5 and earlier the HTML output is correct: test1<br>test1<br> <a href="#" onclick="alert(''test2''); return false;">test2</a><br>test2<br> But with 2.3.8 the literal string appended to the helper results is incorrectly escaped: test1<br>test1<br> <a href="#" onclick="alert(''test2''); return false;">test2</a><br>test2<br> Of course this is what we expect if using Rails 3 or the rails_xss plugin, but it is not expected from the 2.3.8 upgrade (with rails_xss not installed). I''ve confirmed I have 2.3.8 installed - frozen in, and the top entry in the actionpack changelog is "* HTML safety: fix compatibility *without* the optional rails_xss plugin." -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
There is already a patch for that in 2.3.9 https://rails.lighthouseapp.com/projects/8994/tickets/4695-string-added-to-rails_helpers-gets-html-escaped -j On Jun 9, 3:35 am, Will Bryant <will.bry...@gmail.com> wrote:> On Mon, May 31, 2010 at 5:08 PM, Ryan Bigg <radarliste...@gmail.com> wrote: > > This was a bug in 2.3.7 and is not supposed to be the case in 2.3.8. Please > > ensure your application really is using 2.3.8. > > I''m still seeing problems with the 2.3.8 gems, in particular if the > output from a Rails helper is concatenated with a fixed string: > > def test1 > "test1<br>test1<br>" > end > > def test2 > link_to_function("test2", "alert(''test2'')") + "<br>test2<br>" > end > > Then if a view has: > > <%= test1 %> > <%= test2 %> > > With 2.3.5 and earlier the HTML output is correct: > > test1<br>test1<br> > <a href="#" onclick="alert(''test2''); return false;">test2</a><br>test2<br> > > But with 2.3.8 the literal string appended to the helper results is > incorrectly escaped: > > test1<br>test1<br> > <a href="#" onclick="alert(''test2''); return > false;">test2</a><br>test2<br> > > Of course this is what we expect if using Rails 3 or the rails_xss > plugin, but it is not expected from the 2.3.8 upgrade (with rails_xss > not installed). > > I''ve confirmed I have 2.3.8 installed - frozen in, and the top entry > in the actionpack changelog is "* HTML safety: fix compatibility > *without* the optional rails_xss plugin."-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.