hello, I have today updated my rails app to 3.0.4 security release but now this yield :javascripts fails in the layout and I get my custom js escaped as text in the view. anybody seeing this also? tia, jk -- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Yes, I saw something similar when I upgraded to 3.0.4 this morning. I didn''t have a chance to debug it so for the moment I went back to 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on this list. I have a helper function that returns an HTML string. The function calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 it is being escaped in the output. I also tried adding .html_safe to the .html.erb file (double-safe it) but to no avail. I was not able to reproduce it in a simple case though, even in very same function. Brian On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote:> hello, > I have today updated my rails app to 3.0.4 security release but now this > > yield :javascripts > > fails in the layout and I get my custom js escaped as text in the view. > > anybody seeing this also? > > tia, > jk > > --www.least-significant-bit.com-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 ok is 3.0.1, will keep digging then jk 2011/2/9 Brian Morearty <bmorearty@gmail.com>> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I > didn''t have a chance to debug it so for the moment I went back to > 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on > this list. > > I have a helper function that returns an HTML string. The function > calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 > it is being escaped in the output. > > I also tried adding .html_safe to the .html.erb file (double-safe it) > but to no avail. > > I was not able to reproduce it in a simple case though, even in very > same function. > > Brian > > > On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: > > hello, > > I have today updated my rails app to 3.0.4 security release but now this > > > > yield :javascripts > > > > fails in the layout and I get my custom js escaped as text in the view. > > > > anybody seeing this also? > > > > tia, > > jk > > > > --www.least-significant-bit.com > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Great, ping me if I can help you. BTW did you tried 3-0-stable? On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron <joahking@gmail.com> wrote:> for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > ok is 3.0.1, will keep digging then > jk > > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >> didn''t have a chance to debug it so for the moment I went back to >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >> this list. >> >> I have a helper function that returns an HTML string. The function >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >> it is being escaped in the output. >> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >> but to no avail. >> >> I was not able to reproduce it in a simple case though, even in very >> same function. >> >> Brian >> >> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >> > hello, >> > I have today updated my rails app to 3.0.4 security release but now this >> > >> > yield :javascripts >> > >> > fails in the layout and I get my custom js escaped as text in the view. >> > >> > anybody seeing this also? >> > >> > tia, >> > jk >> > >> > --www.least-significant-bit.com >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> > > > > -- > www.least-significant-bit.com > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
yes, if by 3-0-stable you mean 3.0.0, yes it works thanks for the "ping offer", I''ll let you know if anything, but I won''t (can''t) be full time chasing the bug :-( jk 2011/2/10 Santiago Pastorino <santiago@wyeworks.com>> Great, ping me if I can help you. > BTW did you tried 3-0-stable? > > On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > <joahking@gmail.com> wrote: > > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > > ok is 3.0.1, will keep digging then > > jk > > > > 2011/2/9 Brian Morearty <bmorearty@gmail.com> > >> > >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I > >> didn''t have a chance to debug it so for the moment I went back to > >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on > >> this list. > >> > >> I have a helper function that returns an HTML string. The function > >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 > >> it is being escaped in the output. > >> > >> I also tried adding .html_safe to the .html.erb file (double-safe it) > >> but to no avail. > >> > >> I was not able to reproduce it in a simple case though, even in very > >> same function. > >> > >> Brian > >> > >> > >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: > >> > hello, > >> > I have today updated my rails app to 3.0.4 security release but now > this > >> > > >> > yield :javascripts > >> > > >> > fails in the layout and I get my custom js escaped as text in the > view. > >> > > >> > anybody seeing this also? > >> > > >> > tia, > >> > jk > >> > > >> > --www.least-significant-bit.com > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Ruby on Rails: Core" group. > >> To post to this group, send email to rubyonrails-core@googlegroups.com. > >> To unsubscribe from this group, send email to > >> rubyonrails-core+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/rubyonrails-core?hl=en. > >> > > > > > > > > -- > > www.least-significant-bit.com > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Core" group. > > To post to this group, send email to rubyonrails-core@googlegroups.com. > > To unsubscribe from this group, send email to > > rubyonrails-core+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
hi, I diff-ed 3.0.0 with 3.0.1 and I got this diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb index 142cd08..fb2118a 100644 --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb @@ -17,7 +17,7 @@ module ActionDispatch # ...skipping... buffer = with_output_buffer { value = yield(*args) } if string = buffer.presence || value and string.is_a?(String) - NonConcattingString.new(string) + NonConcattingString.new(*ERB::Util.html_escape(string)*) end end if I put bac k the NonConcattingString.new(string) it works (at least for me) don''t know the implications though, wdyt? jk 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com>> yes, if by 3-0-stable you mean 3.0.0, yes it works > > thanks for the "ping offer", I''ll let you know if anything, but I won''t > (can''t) be full time chasing the bug :-( > > jk > > 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> > > Great, ping me if I can help you. >> BTW did you tried 3-0-stable? >> >> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >> <joahking@gmail.com> wrote: >> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >> > ok is 3.0.1, will keep digging then >> > jk >> > >> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >> >> >> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >> >> didn''t have a chance to debug it so for the moment I went back to >> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >> >> this list. >> >> >> >> I have a helper function that returns an HTML string. The function >> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >> >> it is being escaped in the output. >> >> >> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >> >> but to no avail. >> >> >> >> I was not able to reproduce it in a simple case though, even in very >> >> same function. >> >> >> >> Brian >> >> >> >> >> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >> >> > hello, >> >> > I have today updated my rails app to 3.0.4 security release but now >> this >> >> > >> >> > yield :javascripts >> >> > >> >> > fails in the layout and I get my custom js escaped as text in the >> view. >> >> > >> >> > anybody seeing this also? >> >> > >> >> > tia, >> >> > jk >> >> > >> >> > --www.least-significant-bit.com >> >> >> >> -- >> >> You received this message because you are subscribed to the Google >> Groups >> >> "Ruby on Rails: Core" group. >> >> To post to this group, send email to rubyonrails-core@googlegroups.com >> . >> >> To unsubscribe from this group, send email to >> >> rubyonrails-core+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> > >> > >> > >> > -- >> > www.least-significant-bit.com >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Ruby on Rails: Core" group. >> > To post to this group, send email to rubyonrails-core@googlegroups.com. >> > To unsubscribe from this group, send email to >> > rubyonrails-core+unsubscribe@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/rubyonrails-core?hl=en. >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> > > > -- > www.least-significant-bit.com >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf Author: Santiago Pastorino <santiago@wyeworks.com> Date: Tue Nov 2 20:18:22 2010 -0200 Call as ERB::Util.html_escape since is not the module is not included here 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com>> hi, > I diff-ed 3.0.0 with 3.0.1 and I got this > > diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > index 142cd08..fb2118a 100644 > --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > @@ -17,7 +17,7 @@ module ActionDispatch > # > ...skipping... > buffer = with_output_buffer { value = yield(*args) } > if string = buffer.presence || value and string.is_a?(String) > - NonConcattingString.new(string) > + NonConcattingString.new(*ERB::Util.html_escape(string)*) > end > end > > if I put bac k the NonConcattingString.new(string) it works (at least for > me) > > don''t know the implications though, wdyt? > > jk > > 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> > > yes, if by 3-0-stable you mean 3.0.0, yes it works >> >> thanks for the "ping offer", I''ll let you know if anything, but I won''t >> (can''t) be full time chasing the bug :-( >> >> jk >> >> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> >> >> Great, ping me if I can help you. >>> BTW did you tried 3-0-stable? >>> >>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >>> <joahking@gmail.com> wrote: >>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >>> > ok is 3.0.1, will keep digging then >>> > jk >>> > >>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >>> >> >>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >>> >> didn''t have a chance to debug it so for the moment I went back to >>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >>> >> this list. >>> >> >>> >> I have a helper function that returns an HTML string. The function >>> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >>> >> it is being escaped in the output. >>> >> >>> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >>> >> but to no avail. >>> >> >>> >> I was not able to reproduce it in a simple case though, even in very >>> >> same function. >>> >> >>> >> Brian >>> >> >>> >> >>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >>> >> > hello, >>> >> > I have today updated my rails app to 3.0.4 security release but now >>> this >>> >> > >>> >> > yield :javascripts >>> >> > >>> >> > fails in the layout and I get my custom js escaped as text in the >>> view. >>> >> > >>> >> > anybody seeing this also? >>> >> > >>> >> > tia, >>> >> > jk >>> >> > >>> >> > --www.least-significant-bit.com >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "Ruby on Rails: Core" group. >>> >> To post to this group, send email to >>> rubyonrails-core@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> rubyonrails-core+unsubscribe@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >>> >> >>> > >>> > >>> > >>> > -- >>> > www.least-significant-bit.com >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "Ruby on Rails: Core" group. >>> > To post to this group, send email to rubyonrails-core@googlegroups.com >>> . >>> > To unsubscribe from this group, send email to >>> > rubyonrails-core+unsubscribe@googlegroups.com. >>> > For more options, visit this group at >>> > http://groups.google.com/group/rubyonrails-core?hl=en. >>> > >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Ruby on Rails: Core" group. >>> To post to this group, send email to rubyonrails-core@googlegroups.com. >>> To unsubscribe from this group, send email to >>> rubyonrails-core+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/rubyonrails-core?hl=en. >>> >>> >> >> >> -- >> www.least-significant-bit.com >> > > > > -- > www.least-significant-bit.com >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
2011/2/10 Joaquin Rivera Padron <joahking@gmail.com>> hi, > I diff-ed 3.0.0 with 3.0.1 and I got this >sorry I meant diff-ed 3.0.1 to 3.0.2> > diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > index 142cd08..fb2118a 100644 > --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > @@ -17,7 +17,7 @@ module ActionDispatch > # > ...skipping... > buffer = with_output_buffer { value = yield(*args) } > if string = buffer.presence || value and string.is_a?(String) > - NonConcattingString.new(string) > + NonConcattingString.new(*ERB::Util.html_escape(string)*) > end > end > > if I put bac k the NonConcattingString.new(string) it works (at least for > me) > > don''t know the implications though, wdyt? > > jk > > 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> > > yes, if by 3-0-stable you mean 3.0.0, yes it works >> >> thanks for the "ping offer", I''ll let you know if anything, but I won''t >> (can''t) be full time chasing the bug :-( >> >> jk >> >> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> >> >> Great, ping me if I can help you. >>> BTW did you tried 3-0-stable? >>> >>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >>> <joahking@gmail.com> wrote: >>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >>> > ok is 3.0.1, will keep digging then >>> > jk >>> > >>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >>> >> >>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >>> >> didn''t have a chance to debug it so for the moment I went back to >>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >>> >> this list. >>> >> >>> >> I have a helper function that returns an HTML string. The function >>> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >>> >> it is being escaped in the output. >>> >> >>> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >>> >> but to no avail. >>> >> >>> >> I was not able to reproduce it in a simple case though, even in very >>> >> same function. >>> >> >>> >> Brian >>> >> >>> >> >>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >>> >> > hello, >>> >> > I have today updated my rails app to 3.0.4 security release but now >>> this >>> >> > >>> >> > yield :javascripts >>> >> > >>> >> > fails in the layout and I get my custom js escaped as text in the >>> view. >>> >> > >>> >> > anybody seeing this also? >>> >> > >>> >> > tia, >>> >> > jk >>> >> > >>> >> > --www.least-significant-bit.com >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups >>> >> "Ruby on Rails: Core" group. >>> >> To post to this group, send email to >>> rubyonrails-core@googlegroups.com. >>> >> To unsubscribe from this group, send email to >>> >> rubyonrails-core+unsubscribe@googlegroups.com. >>> >> For more options, visit this group at >>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >>> >> >>> > >>> > >>> > >>> > -- >>> > www.least-significant-bit.com >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups >>> > "Ruby on Rails: Core" group. >>> > To post to this group, send email to rubyonrails-core@googlegroups.com >>> . >>> > To unsubscribe from this group, send email to >>> > rubyonrails-core+unsubscribe@googlegroups.com. >>> > For more options, visit this group at >>> > http://groups.google.com/group/rubyonrails-core?hl=en. >>> > >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Ruby on Rails: Core" group. >>> To post to this group, send email to rubyonrails-core@googlegroups.com. >>> To unsubscribe from this group, send email to >>> rubyonrails-core+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/rubyonrails-core?hl=en. >>> >>> >> >> >> -- >> www.least-significant-bit.com >> > > > > -- > www.least-significant-bit.com >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
I''ll try to run the tests in 3.0.2 with that change to see if (what) breaks 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com>> 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> > >> hi, >> I diff-ed 3.0.0 with 3.0.1 and I got this >> > > sorry I meant diff-ed 3.0.1 to 3.0.2 > > >> >> diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> index 142cd08..fb2118a 100644 >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> @@ -17,7 +17,7 @@ module ActionDispatch >> # >> ...skipping... >> buffer = with_output_buffer { value = yield(*args) } >> if string = buffer.presence || value and string.is_a?(String) >> - NonConcattingString.new(string) >> + NonConcattingString.new(*ERB::Util.html_escape(string)*) >> end >> end >> >> if I put bac k the NonConcattingString.new(string) it works (at least for >> me) >> >> don''t know the implications though, wdyt? >> >> jk >> >> 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> >> >> yes, if by 3-0-stable you mean 3.0.0, yes it works >>> >>> thanks for the "ping offer", I''ll let you know if anything, but I won''t >>> (can''t) be full time chasing the bug :-( >>> >>> jk >>> >>> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> >>> >>> Great, ping me if I can help you. >>>> BTW did you tried 3-0-stable? >>>> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >>>> <joahking@gmail.com> wrote: >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >>>> > ok is 3.0.1, will keep digging then >>>> > jk >>>> > >>>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >>>> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >>>> >> didn''t have a chance to debug it so for the moment I went back to >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >>>> >> this list. >>>> >> >>>> >> I have a helper function that returns an HTML string. The function >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >>>> >> it is being escaped in the output. >>>> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >>>> >> but to no avail. >>>> >> >>>> >> I was not able to reproduce it in a simple case though, even in very >>>> >> same function. >>>> >> >>>> >> Brian >>>> >> >>>> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >>>> >> > hello, >>>> >> > I have today updated my rails app to 3.0.4 security release but now >>>> this >>>> >> > >>>> >> > yield :javascripts >>>> >> > >>>> >> > fails in the layout and I get my custom js escaped as text in the >>>> view. >>>> >> > >>>> >> > anybody seeing this also? >>>> >> > >>>> >> > tia, >>>> >> > jk >>>> >> > >>>> >> > --www.least-significant-bit.com >>>> >> >>>> >> -- >>>> >> You received this message because you are subscribed to the Google >>>> Groups >>>> >> "Ruby on Rails: Core" group. >>>> >> To post to this group, send email to >>>> rubyonrails-core@googlegroups.com. >>>> >> To unsubscribe from this group, send email to >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. >>>> >> For more options, visit this group at >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > www.least-significant-bit.com >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> Groups >>>> > "Ruby on Rails: Core" group. >>>> > To post to this group, send email to >>>> rubyonrails-core@googlegroups.com. >>>> > To unsubscribe from this group, send email to >>>> > rubyonrails-core+unsubscribe@googlegroups.com. >>>> > For more options, visit this group at >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. >>>> > >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ruby on Rails: Core" group. >>>> To post to this group, send email to rubyonrails-core@googlegroups.com. >>>> To unsubscribe from this group, send email to >>>> rubyonrails-core+unsubscribe@googlegroups.com. >>>> For more options, visit this group at >>>> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >>>> >>> >>> >>> -- >>> www.least-significant-bit.com >>> >> >> >> >> -- >> www.least-significant-bit.com >> > > > > -- > www.least-significant-bit.com >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
This commit https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf just changes from html_escape string to ERB::Util.html_escape(string) so both are calling the same method. You''re talking about this one https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 and this fix a security issue. I''d say that you''re missing a html_safe some where. On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron <joahking@gmail.com> wrote:> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > Author: Santiago Pastorino <santiago@wyeworks.com> > Date: Tue Nov 2 20:18:22 2010 -0200 > Call as ERB::Util.html_escape since is not the module is not included > here > > 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> >> >> hi, >> I diff-ed 3.0.0 with 3.0.1 and I got this >> diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> index 142cd08..fb2118a 100644 >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> @@ -17,7 +17,7 @@ module ActionDispatch >> # >> ...skipping... >> buffer = with_output_buffer { value = yield(*args) } >> if string = buffer.presence || value and string.is_a?(String) >> - NonConcattingString.new(string) >> + NonConcattingString.new(ERB::Util.html_escape(string)) >> end >> end >> if I put bac k the NonConcattingString.new(string) it works (at least for >> me) >> don''t know the implications though, wdyt? >> jk >> 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> >>> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works >>> thanks for the "ping offer", I''ll let you know if anything, but I won''t >>> (can''t) be full time chasing the bug :-( >>> jk >>> >>> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> >>>> >>>> Great, ping me if I can help you. >>>> BTW did you tried 3-0-stable? >>>> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >>>> <joahking@gmail.com> wrote: >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >>>> > ok is 3.0.1, will keep digging then >>>> > jk >>>> > >>>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >>>> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >>>> >> didn''t have a chance to debug it so for the moment I went back to >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on >>>> >> this list. >>>> >> >>>> >> I have a helper function that returns an HTML string. The function >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >>>> >> it is being escaped in the output. >>>> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >>>> >> but to no avail. >>>> >> >>>> >> I was not able to reproduce it in a simple case though, even in very >>>> >> same function. >>>> >> >>>> >> Brian >>>> >> >>>> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >>>> >> > hello, >>>> >> > I have today updated my rails app to 3.0.4 security release but now >>>> >> > this >>>> >> > >>>> >> > yield :javascripts >>>> >> > >>>> >> > fails in the layout and I get my custom js escaped as text in the >>>> >> > view. >>>> >> > >>>> >> > anybody seeing this also? >>>> >> > >>>> >> > tia, >>>> >> > jk >>>> >> > >>>> >> > --www.least-significant-bit.com >>>> >> >>>> >> -- >>>> >> You received this message because you are subscribed to the Google >>>> >> Groups >>>> >> "Ruby on Rails: Core" group. >>>> >> To post to this group, send email to >>>> >> rubyonrails-core@googlegroups.com. >>>> >> To unsubscribe from this group, send email to >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. >>>> >> For more options, visit this group at >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > www.least-significant-bit.com >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "Ruby on Rails: Core" group. >>>> > To post to this group, send email to >>>> > rubyonrails-core@googlegroups.com. >>>> > To unsubscribe from this group, send email to >>>> > rubyonrails-core+unsubscribe@googlegroups.com. >>>> > For more options, visit this group at >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. >>>> > >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ruby on Rails: Core" group. >>>> To post to this group, send email to rubyonrails-core@googlegroups.com. >>>> To unsubscribe from this group, send email to >>>> rubyonrails-core+unsubscribe@googlegroups.com. >>>> For more options, visit this group at >>>> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >>> >>> >>> >>> -- >>> www.least-significant-bit.com >> >> >> >> -- >> www.least-significant-bit.com > > > > -- > www.least-significant-bit.com > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
I''ll check, thanks for the reply jk 2011/2/10 Santiago Pastorino <santiago@wyeworks.com>> This commit > https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf > just changes from html_escape string to ERB::Util.html_escape(string) > so both are calling the same method. > > You''re talking about this one > > https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 > and this fix a security issue. I''d say that you''re missing a html_safe > some where. > > On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > <joahking@gmail.com> wrote: > > > > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > > Author: Santiago Pastorino <santiago@wyeworks.com> > > Date: Tue Nov 2 20:18:22 2010 -0200 > > Call as ERB::Util.html_escape since is not the module is not included > > here > > > > 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> > >> > >> hi, > >> I diff-ed 3.0.0 with 3.0.1 and I got this > >> diff --git > a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> index 142cd08..fb2118a 100644 > >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> @@ -17,7 +17,7 @@ module ActionDispatch > >> # > >> ...skipping... > >> buffer = with_output_buffer { value = yield(*args) } > >> if string = buffer.presence || value and string.is_a?(String) > >> - NonConcattingString.new(string) > >> + NonConcattingString.new(ERB::Util.html_escape(string)) > >> end > >> end > >> if I put bac k the NonConcattingString.new(string) it works (at least > for > >> me) > >> don''t know the implications though, wdyt? > >> jk > >> 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> > >>> > >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > >>> thanks for the "ping offer", I''ll let you know if anything, but I won''t > >>> (can''t) be full time chasing the bug :-( > >>> jk > >>> > >>> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> > >>>> > >>>> Great, ping me if I can help you. > >>>> BTW did you tried 3-0-stable? > >>>> > >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > >>>> <joahking@gmail.com> wrote: > >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > >>>> > ok is 3.0.1, will keep digging then > >>>> > jk > >>>> > > >>>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> > >>>> >> > >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. > I > >>>> >> didn''t have a chance to debug it so for the moment I went back to > >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything on > >>>> >> this list. > >>>> >> > >>>> >> I have a helper function that returns an HTML string. The function > >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > 3.0.4 > >>>> >> it is being escaped in the output. > >>>> >> > >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > it) > >>>> >> but to no avail. > >>>> >> > >>>> >> I was not able to reproduce it in a simple case though, even in > very > >>>> >> same function. > >>>> >> > >>>> >> Brian > >>>> >> > >>>> >> > >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> > wrote: > >>>> >> > hello, > >>>> >> > I have today updated my rails app to 3.0.4 security release but > now > >>>> >> > this > >>>> >> > > >>>> >> > yield :javascripts > >>>> >> > > >>>> >> > fails in the layout and I get my custom js escaped as text in the > >>>> >> > view. > >>>> >> > > >>>> >> > anybody seeing this also? > >>>> >> > > >>>> >> > tia, > >>>> >> > jk > >>>> >> > > >>>> >> > --www.least-significant-bit.com > >>>> >> > >>>> >> -- > >>>> >> You received this message because you are subscribed to the Google > >>>> >> Groups > >>>> >> "Ruby on Rails: Core" group. > >>>> >> To post to this group, send email to > >>>> >> rubyonrails-core@googlegroups.com. > >>>> >> To unsubscribe from this group, send email to > >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. > >>>> >> For more options, visit this group at > >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> >> > >>>> > > >>>> > > >>>> > > >>>> > -- > >>>> > www.least-significant-bit.com > >>>> > > >>>> > -- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups > >>>> > "Ruby on Rails: Core" group. > >>>> > To post to this group, send email to > >>>> > rubyonrails-core@googlegroups.com. > >>>> > To unsubscribe from this group, send email to > >>>> > rubyonrails-core+unsubscribe@googlegroups.com. > >>>> > For more options, visit this group at > >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> > > >>>> > >>>> -- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "Ruby on Rails: Core" group. > >>>> To post to this group, send email to > rubyonrails-core@googlegroups.com. > >>>> To unsubscribe from this group, send email to > >>>> rubyonrails-core+unsubscribe@googlegroups.com. > >>>> For more options, visit this group at > >>>> http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> > >>> > >>> > >>> > >>> -- > >>> www.least-significant-bit.com > >> > >> > >> > >> -- > >> www.least-significant-bit.com > > > > > > > > -- > > www.least-significant-bit.com > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Core" group. > > To post to this group, send email to rubyonrails-core@googlegroups.com. > > To unsubscribe from this group, send email to > > rubyonrails-core+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
you are totally right, I was missing a html_safe :-) this is wrong as now: content_for :js do <<JS <script type="text/javascript"> alert(''hello''); </script> JS end this is ok: js = <<JS <script type="text/javascript"> alert(''hello''); </script> JS content_for :js do js.html_safe end thanks a lot jk 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com>> I''ll check, thanks for the reply > > jk > > 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> > >> This commit >> https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf >> just changes from html_escape string to ERB::Util.html_escape(string) >> so both are calling the same method. >> >> You''re talking about this one >> >> https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 >> and this fix a security issue. I''d say that you''re missing a html_safe >> some where. >> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron >> <joahking@gmail.com> wrote: >> > >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf >> > Author: Santiago Pastorino <santiago@wyeworks.com> >> > Date: Tue Nov 2 20:18:22 2010 -0200 >> > Call as ERB::Util.html_escape since is not the module is not >> included >> > here >> > >> > 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> >> >> >> >> hi, >> >> I diff-ed 3.0.0 with 3.0.1 and I got this >> >> diff --git >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> index 142cd08..fb2118a 100644 >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> @@ -17,7 +17,7 @@ module ActionDispatch >> >> # >> >> ...skipping... >> >> buffer = with_output_buffer { value = yield(*args) } >> >> if string = buffer.presence || value and string.is_a?(String) >> >> - NonConcattingString.new(string) >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) >> >> end >> >> end >> >> if I put bac k the NonConcattingString.new(string) it works (at least >> for >> >> me) >> >> don''t know the implications though, wdyt? >> >> jk >> >> 2011/2/10 Joaquin Rivera Padron <joahking@gmail.com> >> >>> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works >> >>> thanks for the "ping offer", I''ll let you know if anything, but I >> won''t >> >>> (can''t) be full time chasing the bug :-( >> >>> jk >> >>> >> >>> 2011/2/10 Santiago Pastorino <santiago@wyeworks.com> >> >>>> >> >>>> Great, ping me if I can help you. >> >>>> BTW did you tried 3-0-stable? >> >>>> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >> >>>> <joahking@gmail.com> wrote: >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >> >>>> > ok is 3.0.1, will keep digging then >> >>>> > jk >> >>>> > >> >>>> > 2011/2/9 Brian Morearty <bmorearty@gmail.com> >> >>>> >> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this >> morning. I >> >>>> >> didn''t have a chance to debug it so for the moment I went back to >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything >> on >> >>>> >> this list. >> >>>> >> >> >>>> >> I have a helper function that returns an HTML string. The function >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in >> 3.0.4 >> >>>> >> it is being escaped in the output. >> >>>> >> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe >> it) >> >>>> >> but to no avail. >> >>>> >> >> >>>> >> I was not able to reproduce it in a simple case though, even in >> very >> >>>> >> same function. >> >>>> >> >> >>>> >> Brian >> >>>> >> >> >>>> >> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> >> wrote: >> >>>> >> > hello, >> >>>> >> > I have today updated my rails app to 3.0.4 security release but >> now >> >>>> >> > this >> >>>> >> > >> >>>> >> > yield :javascripts >> >>>> >> > >> >>>> >> > fails in the layout and I get my custom js escaped as text in >> the >> >>>> >> > view. >> >>>> >> > >> >>>> >> > anybody seeing this also? >> >>>> >> > >> >>>> >> > tia, >> >>>> >> > jk >> >>>> >> > >> >>>> >> > --www.least-significant-bit.com >> >>>> >> >> >>>> >> -- >> >>>> >> You received this message because you are subscribed to the Google >> >>>> >> Groups >> >>>> >> "Ruby on Rails: Core" group. >> >>>> >> To post to this group, send email to >> >>>> >> rubyonrails-core@googlegroups.com. >> >>>> >> To unsubscribe from this group, send email to >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. >> >>>> >> For more options, visit this group at >> >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >>>> >> >> >>>> > >> >>>> > >> >>>> > >> >>>> > -- >> >>>> > www.least-significant-bit.com >> >>>> > >> >>>> > -- >> >>>> > You received this message because you are subscribed to the Google >> >>>> > Groups >> >>>> > "Ruby on Rails: Core" group. >> >>>> > To post to this group, send email to >> >>>> > rubyonrails-core@googlegroups.com. >> >>>> > To unsubscribe from this group, send email to >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. >> >>>> > For more options, visit this group at >> >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. >> >>>> > >> >>>> >> >>>> -- >> >>>> You received this message because you are subscribed to the Google >> >>>> Groups "Ruby on Rails: Core" group. >> >>>> To post to this group, send email to >> rubyonrails-core@googlegroups.com. >> >>>> To unsubscribe from this group, send email to >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. >> >>>> For more options, visit this group at >> >>>> http://groups.google.com/group/rubyonrails-core?hl=en. >> >>>> >> >>> >> >>> >> >>> >> >>> -- >> >>> www.least-significant-bit.com >> >> >> >> >> >> >> >> -- >> >> www.least-significant-bit.com >> > >> > >> > >> > -- >> > www.least-significant-bit.com >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Ruby on Rails: Core" group. >> > To post to this group, send email to rubyonrails-core@googlegroups.com. >> > To unsubscribe from this group, send email to >> > rubyonrails-core+unsubscribe@googlegroups.com. >> > For more options, visit this group at >> > http://groups.google.com/group/rubyonrails-core?hl=en. >> > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ruby on Rails: Core" group. >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> To unsubscribe from this group, send email to >> rubyonrails-core+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/rubyonrails-core?hl=en. >> >> > > > -- > www.least-significant-bit.com >-- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
The change that Santiago mentioned (https://github.com/rails/rails/ commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes content_tag always to escape its output, even when the ''escape'' parameter is set to false. However, from my experiments it seems the ''escape'' parameter wasn''t working before the change either. Instead of always escaping the output, content_tag was never escaping the output. In a 3.0.1 Rails project the output is never escaped but html_safe? always returns true: rails console Loading development environment (Rails 3.0.1) ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' end).html_safe? => true ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do ''<b>hello</b>'' end).html_safe? => true ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do ''<b>hello</b>'' end).html_safe? => true In a Rails 3.0.2 project the content is always escaped and html_safe? always returns true: rails console Loading development environment (Rails 3.0.2) ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' end).html_safe? => true ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do ''<b>hello</b>'' end).html_safe? => true ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do ''<b>hello</b>'' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do ''<b>hello</b>'' end).html_safe? => true So at least in Rails 3.0.2 the html_safe? function is reporting the truth. But content_tag escapes the output even when escape=false (see the last two lines). I would submit a patch but I''m not sure what the right fix is. Brian Morearty On Feb 10, 5:36 am, Joaquin Rivera Padron <joahk...@gmail.com> wrote:> you are totally right, I was missing a html_safe :-) > > this is wrong as now: > > content_for :js do > <<JS > <script type="text/javascript"> > alert(''hello''); > </script> > JS > end > > this is ok: > > js = <<JS > <script type="text/javascript"> > alert(''hello''); > </script> > JS > > content_for :js do > js.html_safe > end > > thanks a lot > jk > > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > > > I''ll check, thanks for the reply > > > jk > > > 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > >> This commit > >>https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb... > >> just changes from html_escape string to ERB::Util.html_escape(string) > >> so both are calling the same method. > > >> You''re talking about this one > > >>https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d... > >> and this fix a security issue. I''d say that you''re missing a html_safe > >> some where. > > >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > >> <joahk...@gmail.com> wrote: > > >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > >> > Author: Santiago Pastorino <santi...@wyeworks.com> > >> > Date: Tue Nov 2 20:18:22 2010 -0200 > >> > Call as ERB::Util.html_escape since is not the module is not > >> included > >> > here > > >> > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > >> >> hi, > >> >> I diff-ed 3.0.0 with 3.0.1 and I got this > >> >> diff --git > >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> index 142cd08..fb2118a 100644 > >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> @@ -17,7 +17,7 @@ module ActionDispatch > >> >> # > >> >> ...skipping... > >> >> buffer = with_output_buffer { value = yield(*args) } > >> >> if string = buffer.presence || value and string.is_a?(String) > >> >> - NonConcattingString.new(string) > >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) > >> >> end > >> >> end > >> >> if I put bac k the NonConcattingString.new(string) it works (at least > >> for > >> >> me) > >> >> don''t know the implications though, wdyt? > >> >> jk > >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > >> >>> thanks for the "ping offer", I''ll let you know if anything, but I > >> won''t > >> >>> (can''t) be full time chasing the bug :-( > >> >>> jk > > >> >>> 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > >> >>>> Great, ping me if I can help you. > >> >>>> BTW did you tried 3-0-stable? > > >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > >> >>>> <joahk...@gmail.com> wrote: > >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > >> >>>> > ok is 3.0.1, will keep digging then > >> >>>> > jk > > >> >>>> > 2011/2/9 Brian Morearty <bmorea...@gmail.com> > > >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this > >> morning. I > >> >>>> >> didn''t have a chance to debug it so for the moment I went back to > >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything > >> on > >> >>>> >> this list. > > >> >>>> >> I have a helper function that returns an HTML string. The function > >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > >> 3.0.4 > >> >>>> >> it is being escaped in the output. > > >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > >> it) > >> >>>> >> but to no avail. > > >> >>>> >> I was not able to reproduce it in a simple case though, even in > >> very > >> >>>> >> same function. > > >> >>>> >> Brian > > >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> > >> wrote: > >> >>>> >> > hello, > >> >>>> >> > I have today updated my rails app to 3.0.4 security release but > >> now > >> >>>> >> > this > > >> >>>> >> > yield :javascripts > > >> >>>> >> > fails in the layout and I get my custom js escaped as text in > >> the > >> >>>> >> > view. > > >> >>>> >> > anybody seeing this also? > > >> >>>> >> > tia, > >> >>>> >> > jk > > >> >>>> >> > --www.least-significant-bit.com > > >> >>>> >> -- > >> >>>> >> You received this message because you are subscribed to the Google > >> >>>> >> Groups > >> >>>> >> "Ruby on Rails: Core" group. > >> >>>> >> To post to this group, send email to > >> >>>> >> rubyonrails-core@googlegroups.com. > >> >>>> >> To unsubscribe from this group, send email to > >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. > >> >>>> >> For more options, visit this group at > >> >>>> >>http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >>>> > -- > >> >>>> >www.least-significant-bit.com > > >> >>>> > -- > >> >>>> > You received this message because you are subscribed to the Google > >> >>>> > Groups > >> >>>> > "Ruby on Rails: Core" group. > >> >>>> > To post to this group, send email to > >> >>>> > rubyonrails-core@googlegroups.com. > >> >>>> > To unsubscribe from this group, send email to > >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. > >> >>>> > For more options, visit this group at > >> >>>> >http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >>>> -- > >> >>>> You received this message because you are subscribed to the Google > >> >>>> Groups "Ruby on Rails: Core" group. > >> >>>> To post to this group, send email to > >> rubyonrails-core@googlegroups.com. > >> >>>> To unsubscribe from this group, send email to > >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. > >> >>>> For more options, visit this group at > >> >>>>http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >>> -- > >> >>>www.least-significant-bit.com > > >> >> -- > >> >>www.least-significant-bit.com > > >> > -- > >> >www.least-significant-bit.com > > >> > -- > >> > You received this message because you are subscribed to the Google > >> Groups > >> > "Ruby on Rails: Core" group. > >> > To post to this group, send email to rubyonrails-core@googlegroups.com. > >> > To unsubscribe from this group, send email to > >> > rubyonrails-core+unsubscribe@googlegroups.com. > >> > For more options, visit this group at > >> >http://groups.google.com/group/rubyonrails-core?hl=en. > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "Ruby on Rails: Core" group. > >> To post to this group, send email to rubyonrails-core@googlegroups.com. > >> To unsubscribe from this group, send email to > >> rubyonrails-core+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >>http://groups.google.com/group/rubyonrails-core?hl=en. > > > -- > >www.least-significant-bit.com > > --www.least-significant-bit.com-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Hey Brian, I think we should remove the escape parameter at least here https://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450d4f458f/actionpack/lib/action_view/helpers/form_tag_helper.rb#L303. I haven''t checked it in other places but I that guess could be removed too, so if you want to go ahead do it and deprecate it for 3-0-stable. We should use html_safe when you need to not escape. Best, Santiago. On Thu, Feb 10, 2011 at 3:01 PM, Brian Morearty <bmorearty@gmail.com> wrote:> The change that Santiago mentioned (https://github.com/rails/rails/ > commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes > content_tag always to escape its output, even when the ''escape'' > parameter is set to false. However, from my experiments it seems the > ''escape'' parameter wasn''t working before the change either. Instead of > always escaping the output, content_tag was never escaping the output. > > In a 3.0.1 Rails project the output is never escaped but html_safe? > always returns true: > > rails console > Loading development environment (Rails 3.0.1) > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' > end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > end).html_safe? > => true > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > ''<b>hello</b>'' end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > ''<b>hello</b>'' end).html_safe? > => true > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > ''<b>hello</b>'' end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > ''<b>hello</b>'' end).html_safe? > => true > > In a Rails 3.0.2 project the content is always escaped and html_safe? > always returns true: > > rails console > Loading development environment (Rails 3.0.2) > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > end).html_safe? > => true > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > ''<b>hello</b>'' end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > ''<b>hello</b>'' end).html_safe? > => true > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > ''<b>hello</b>'' end > => "<div><b>hello</b></div>" > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > ''<b>hello</b>'' end).html_safe? > => true > > So at least in Rails 3.0.2 the html_safe? function is reporting the > truth. But content_tag escapes the output even when escape=false (see > the last two lines). > > I would submit a patch but I''m not sure what the right fix is. > > Brian Morearty > > > On Feb 10, 5:36 am, Joaquin Rivera Padron <joahk...@gmail.com> wrote: >> you are totally right, I was missing a html_safe :-) >> >> this is wrong as now: >> >> content_for :js do >> <<JS >> <script type="text/javascript"> >> alert(''hello''); >> </script> >> JS >> end >> >> this is ok: >> >> js = <<JS >> <script type="text/javascript"> >> alert(''hello''); >> </script> >> JS >> >> content_for :js do >> js.html_safe >> end >> >> thanks a lot >> jk >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> >> >> >> >> > I''ll check, thanks for the reply >> >> > jk >> >> > 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> >> >> >> This commit >> >>https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb... >> >> just changes from html_escape string to ERB::Util.html_escape(string) >> >> so both are calling the same method. >> >> >> You''re talking about this one >> >> >>https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d... >> >> and this fix a security issue. I''d say that you''re missing a html_safe >> >> some where. >> >> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron >> >> <joahk...@gmail.com> wrote: >> >> >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf >> >> > Author: Santiago Pastorino <santi...@wyeworks.com> >> >> > Date: Tue Nov 2 20:18:22 2010 -0200 >> >> > Call as ERB::Util.html_escape since is not the module is not >> >> included >> >> > here >> >> >> > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> >> >> >> >> hi, >> >> >> I diff-ed 3.0.0 with 3.0.1 and I got this >> >> >> diff --git >> >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> >> index 142cd08..fb2118a 100644 >> >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> >> >> @@ -17,7 +17,7 @@ module ActionDispatch >> >> >> # >> >> >> ...skipping... >> >> >> buffer = with_output_buffer { value = yield(*args) } >> >> >> if string = buffer.presence || value and string.is_a?(String) >> >> >> - NonConcattingString.new(string) >> >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) >> >> >> end >> >> >> end >> >> >> if I put bac k the NonConcattingString.new(string) it works (at least >> >> for >> >> >> me) >> >> >> don''t know the implications though, wdyt? >> >> >> jk >> >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> >> >> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works >> >> >>> thanks for the "ping offer", I''ll let you know if anything, but I >> >> won''t >> >> >>> (can''t) be full time chasing the bug :-( >> >> >>> jk >> >> >> >>> 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> >> >> >> >>>> Great, ping me if I can help you. >> >> >>>> BTW did you tried 3-0-stable? >> >> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >> >> >>>> <joahk...@gmail.com> wrote: >> >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >> >> >>>> > ok is 3.0.1, will keep digging then >> >> >>>> > jk >> >> >> >>>> > 2011/2/9 Brian Morearty <bmorea...@gmail.com> >> >> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this >> >> morning. I >> >> >>>> >> didn''t have a chance to debug it so for the moment I went back to >> >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything >> >> on >> >> >>>> >> this list. >> >> >> >>>> >> I have a helper function that returns an HTML string. The function >> >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in >> >> 3.0.4 >> >> >>>> >> it is being escaped in the output. >> >> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe >> >> it) >> >> >>>> >> but to no avail. >> >> >> >>>> >> I was not able to reproduce it in a simple case though, even in >> >> very >> >> >>>> >> same function. >> >> >> >>>> >> Brian >> >> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> >> >> wrote: >> >> >>>> >> > hello, >> >> >>>> >> > I have today updated my rails app to 3.0.4 security release but >> >> now >> >> >>>> >> > this >> >> >> >>>> >> > yield :javascripts >> >> >> >>>> >> > fails in the layout and I get my custom js escaped as text in >> >> the >> >> >>>> >> > view. >> >> >> >>>> >> > anybody seeing this also? >> >> >> >>>> >> > tia, >> >> >>>> >> > jk >> >> >> >>>> >> > --www.least-significant-bit.com >> >> >> >>>> >> -- >> >> >>>> >> You received this message because you are subscribed to the Google >> >> >>>> >> Groups >> >> >>>> >> "Ruby on Rails: Core" group. >> >> >>>> >> To post to this group, send email to >> >> >>>> >> rubyonrails-core@googlegroups.com. >> >> >>>> >> To unsubscribe from this group, send email to >> >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. >> >> >>>> >> For more options, visit this group at >> >> >>>> >>http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> >>>> > -- >> >> >>>> >www.least-significant-bit.com >> >> >> >>>> > -- >> >> >>>> > You received this message because you are subscribed to the Google >> >> >>>> > Groups >> >> >>>> > "Ruby on Rails: Core" group. >> >> >>>> > To post to this group, send email to >> >> >>>> > rubyonrails-core@googlegroups.com. >> >> >>>> > To unsubscribe from this group, send email to >> >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. >> >> >>>> > For more options, visit this group at >> >> >>>> >http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> >>>> -- >> >> >>>> You received this message because you are subscribed to the Google >> >> >>>> Groups "Ruby on Rails: Core" group. >> >> >>>> To post to this group, send email to >> >> rubyonrails-core@googlegroups.com. >> >> >>>> To unsubscribe from this group, send email to >> >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. >> >> >>>> For more options, visit this group at >> >> >>>>http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> >>> -- >> >> >>>www.least-significant-bit.com >> >> >> >> -- >> >> >>www.least-significant-bit.com >> >> >> > -- >> >> >www.least-significant-bit.com >> >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> Groups >> >> > "Ruby on Rails: Core" group. >> >> > To post to this group, send email to rubyonrails-core@googlegroups.com. >> >> > To unsubscribe from this group, send email to >> >> > rubyonrails-core+unsubscribe@googlegroups.com. >> >> > For more options, visit this group at >> >> >http://groups.google.com/group/rubyonrails-core?hl=en. >> >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> >> "Ruby on Rails: Core" group. >> >> To post to this group, send email to rubyonrails-core@googlegroups.com. >> >> To unsubscribe from this group, send email to >> >> rubyonrails-core+unsubscribe@googlegroups.com. >> >> For more options, visit this group at >> >>http://groups.google.com/group/rubyonrails-core?hl=en. >> >> > -- >> >www.least-significant-bit.com >> >> --www.least-significant-bit.com > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. > To post to this group, send email to rubyonrails-core@googlegroups.com. > To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
Thanks, Santiago. I will submit a patch to deprecate the escape param/ option. I''ve created a ticket to track it: https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions Brian On Feb 12, 7:43 am, Santiago Pastorino <santi...@wyeworks.com> wrote:> Hey Brian, > > I think we should remove the escape parameter at least herehttps://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450.... > I haven''t checked it in other places but I that guess could be removed > too, so if you want to go ahead do it and deprecate it for 3-0-stable. > We should use html_safe when you need to not escape. > > Best, > Santiago. > > On Thu, Feb 10, 2011 at 3:01 PM, Brian Morearty <bmorea...@gmail.com> wrote: > > The change that Santiago mentioned (https://github.com/rails/rails/ > > commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes > > content_tag always to escape its output, even when the ''escape'' > > parameter is set to false. However, from my experiments it seems the > > ''escape'' parameter wasn''t working before the change either. Instead of > > always escaping the output, content_tag was never escaping the output. > > > In a 3.0.1 Rails project the output is never escaped but html_safe? > > always returns true: > > > rails console > > Loading development environment (Rails 3.0.1) > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' > > end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > end).html_safe? > > => true > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > ''<b>hello</b>'' end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > ''<b>hello</b>'' end).html_safe? > > => true > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > ''<b>hello</b>'' end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > ''<b>hello</b>'' end).html_safe? > > => true > > > In a Rails 3.0.2 project the content is always escaped and html_safe? > > always returns true: > > > rails console > > Loading development environment (Rails 3.0.2) > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > end).html_safe? > > => true > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > ''<b>hello</b>'' end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > ''<b>hello</b>'' end).html_safe? > > => true > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > ''<b>hello</b>'' end > > => "<div><b>hello</b></div>" > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > ''<b>hello</b>'' end).html_safe? > > => true > > > So at least in Rails 3.0.2 the html_safe? function is reporting the > > truth. But content_tag escapes the output even when escape=false (see > > the last two lines). > > > I would submit a patch but I''m not sure what the right fix is. > > > Brian Morearty > > > On Feb 10, 5:36 am, Joaquin Rivera Padron <joahk...@gmail.com> wrote: > >> you are totally right, I was missing a html_safe :-) > > >> this is wrong as now: > > >> content_for :js do > >> <<JS > >> <script type="text/javascript"> > >> alert(''hello''); > >> </script> > >> JS > >> end > > >> this is ok: > > >> js = <<JS > >> <script type="text/javascript"> > >> alert(''hello''); > >> </script> > >> JS > > >> content_for :js do > >> js.html_safe > >> end > > >> thanks a lot > >> jk > > >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > >> > I''ll check, thanks for the reply > > >> > jk > > >> > 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > >> >> This commit > >> >>https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb... > >> >> just changes from html_escape string to ERB::Util.html_escape(string) > >> >> so both are calling the same method. > > >> >> You''re talking about this one > > >> >>https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d... > >> >> and this fix a security issue. I''d say that you''re missing a html_safe > >> >> some where. > > >> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > >> >> <joahk...@gmail.com> wrote: > > >> >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > >> >> > Author: Santiago Pastorino <santi...@wyeworks.com> > >> >> > Date: Tue Nov 2 20:18:22 2010 -0200 > >> >> > Call as ERB::Util.html_escape since is not the module is not > >> >> included > >> >> > here > > >> >> > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > >> >> >> hi, > >> >> >> I diff-ed 3.0.0 with 3.0.1 and I got this > >> >> >> diff --git > >> >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> >> index 142cd08..fb2118a 100644 > >> >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> >> >> @@ -17,7 +17,7 @@ module ActionDispatch > >> >> >> # > >> >> >> ...skipping... > >> >> >> buffer = with_output_buffer { value = yield(*args) } > >> >> >> if string = buffer.presence || value and string.is_a?(String) > >> >> >> - NonConcattingString.new(string) > >> >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) > >> >> >> end > >> >> >> end > >> >> >> if I put bac k the NonConcattingString.new(string) it works (at least > >> >> for > >> >> >> me) > >> >> >> don''t know the implications though, wdyt? > >> >> >> jk > >> >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > >> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > >> >> >>> thanks for the "ping offer", I''ll let you know if anything, but I > >> >> won''t > >> >> >>> (can''t) be full time chasing the bug :-( > >> >> >>> jk > > >> >> >>> 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > >> >> >>>> Great, ping me if I can help you. > >> >> >>>> BTW did you tried 3-0-stable? > > >> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > >> >> >>>> <joahk...@gmail.com> wrote: > >> >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > >> >> >>>> > ok is 3.0.1, will keep digging then > >> >> >>>> > jk > > >> >> >>>> > 2011/2/9 Brian Morearty <bmorea...@gmail.com> > > >> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this > >> >> morning. I > >> >> >>>> >> didn''t have a chance to debug it so for the moment I went back to > >> >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything > >> >> on > >> >> >>>> >> this list. > > >> >> >>>> >> I have a helper function that returns an HTML string. The function > >> >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > >> >> 3.0.4 > >> >> >>>> >> it is being escaped in the output. > > >> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > >> >> it) > >> >> >>>> >> but to no avail. > > >> >> >>>> >> I was not able to reproduce it in a simple case though, even in > >> >> very > >> >> >>>> >> same function. > > >> >> >>>> >> Brian > > >> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> > >> >> wrote: > >> >> >>>> >> > hello, > >> >> >>>> >> > I have today updated my rails app to 3.0.4 security release but > >> >> now > >> >> >>>> >> > this > > >> >> >>>> >> > yield :javascripts > > >> >> >>>> >> > fails in the layout and I get my custom js escaped as text in > >> >> the > >> >> >>>> >> > view. > > >> >> >>>> >> > anybody seeing this also? > > >> >> >>>> >> > tia, > >> >> >>>> >> > jk > > >> >> >>>> >> > --www.least-significant-bit.com > > >> >> >>>> >> -- > >> >> >>>> >> You received this message because you are subscribed to the Google > >> >> >>>> >> Groups > >> >> >>>> >> "Ruby on Rails: Core" group. > >> >> >>>> >> To post to this group, send email to > >> >> >>>> >> rubyonrails-core@googlegroups.com. > >> >> >>>> >> To unsubscribe from this group, send email to > >> >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. > >> >> >>>> >> For more options, visit this group at > >> >> >>>> >>http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >> >>>> > -- > >> >> >>>> >www.least-significant-bit.com > > >> >> >>>> > -- > >> >> >>>> > You received this message because you are subscribed to the Google > >> >> >>>> > Groups > >> >> >>>> > "Ruby on Rails: Core" group. > >> >> >>>> > To post to this group, send email to > >> >> >>>> > rubyonrails-core@googlegroups.com. > >> >> >>>> > To unsubscribe from this group, send email to > >> >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. > >> >> >>>> > For more options, visit this group at > >> >> >>>> >http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >> >>>> -- > >> >> >>>> You received this message because you are subscribed to the Google > >> >> >>>> Groups "Ruby on Rails: Core" group. > >> >> >>>> To post to this group, send email to > >> >> rubyonrails-core@googlegroups.com. > >> >> >>>> To unsubscribe from this group, send email to > >> >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. > >> >> >>>> For more options, visit this group at > >> >> >>>>http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >> >>> -- > >> >> >>>www.least-significant-bit.com > > >> >> >> -- > >> >> >>www.least-significant-bit.com > > >> >> > -- > >> >> >www.least-significant-bit.com > > >> >> > -- > >> >> > You received this message because you are subscribed to the Google > >> >> Groups > >> >> > "Ruby on Rails: Core" group. > >> >> > To post to this group, send email to rubyonrails-core@googlegroups.com. > >> >> > To unsubscribe from this group, send email to > >> >> > rubyonrails-core+unsubscribe@googlegroups.com. > >> >> > For more options, visit this group at > >> >> >http://groups.google.com/group/rubyonrails-core?hl=en. > > >> >> -- > >> >> You received this message because you are subscribed to the Google Groups > >> >> "Ruby on Rails: Core" group. > >> >> To post to this group, send email to rubyonrails-core@googlegroups.com. > >> >> To unsubscribe from this group, send email to > >> >> rubyonrails-core+unsubscribe@googlegroups.com. > >> >> For more options, > > ... > > read more »-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
The patch is done, tested by me, and ready to be vetted by others. If any of you are interested in looking at it, here it is: https://rails.lighthouseapp.com/projects/8994/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions#ticket-6421-5 The 3 helper functions mentioned above (FormTagHelper#text_area_tag, TagHelper#content_tag, and TagHelper#tag ) will have the following behavior after these patches are applied: * In 3.0.5, using the ''escape'' parameter or option will show a deprecation message. * In 3.1 the ''escape'' parameter or option to these 3 methods is removed. The correct way to specify escaping behavior is to call (or not call) html_safe on the parameters. Both the rdoc and the tests are updated. Please respond if anything looks amiss or if it all looks good. Brian On Feb 12, 9:30 am, Brian Morearty <bmorea...@gmail.com> wrote:> Thanks, Santiago. I will submit a patch to deprecate the escape param/ > option. > > I''ve created a ticket to track it: > > https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6... > > Brian > > On Feb 12, 7:43 am, Santiago Pastorino <santi...@wyeworks.com> wrote: > > > Hey Brian, > > > I think we should remove the escape parameter at least herehttps://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450.... > > I haven''t checked it in other places but I that guess could be removed > > too, so if you want to go ahead do it and deprecate it for 3-0-stable. > > We should use html_safe when you need to not escape. > > > Best, > > Santiago. > > > On Thu, Feb 10, 2011 at 3:01 PM, Brian Morearty <bmorea...@gmail.com> wrote: > > > The change that Santiago mentioned (https://github.com/rails/rails/ > > > commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes > > > content_tag always to escape its output, even when the ''escape'' > > > parameter is set to false. However, from my experiments it seems the > > > ''escape'' parameter wasn''t working before the change either. Instead of > > > always escaping the output, content_tag was never escaping the output. > > > > In a 3.0.1 Rails project the output is never escaped but html_safe? > > > always returns true: > > > > rails console > > > Loading development environment (Rails 3.0.1) > > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' > > > end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > > end).html_safe? > > > => true > > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > > In a Rails 3.0.2 project the content is always escaped and html_safe? > > > always returns true: > > > > rails console > > > Loading development environment (Rails 3.0.2) > > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > > end).html_safe? > > > => true > > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > > So at least in Rails 3.0.2 the html_safe? function is reporting the > > > truth. But content_tag escapes the output even when escape=false (see > > > the last two lines). > > > > I would submit a patch but I''m not sure what the right fix is. > > > > Brian Morearty > > > > On Feb 10, 5:36 am, Joaquin Rivera Padron <joahk...@gmail.com> wrote: > > >> you are totally right, I was missing a html_safe :-) > > > >> this is wrong as now: > > > >> content_for :js do > > >> <<JS > > >> <script type="text/javascript"> > > >> alert(''hello''); > > >> </script> > > >> JS > > >> end > > > >> this is ok: > > > >> js = <<JS > > >> <script type="text/javascript"> > > >> alert(''hello''); > > >> </script> > > >> JS > > > >> content_for :js do > > >> js.html_safe > > >> end > > > >> thanks a lot > > >> jk > > > >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> > I''ll check, thanks for the reply > > > >> > jk > > > >> > 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > > >> >> This commit > > >> >>https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb... > > >> >> just changes from html_escape string to ERB::Util.html_escape(string) > > >> >> so both are calling the same method. > > > >> >> You''re talking about this one > > > >> >>https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d... > > >> >> and this fix a security issue. I''d say that you''re missing a html_safe > > >> >> some where. > > > >> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > > >> >> <joahk...@gmail.com> wrote: > > > >> >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > > >> >> > Author: Santiago Pastorino <santi...@wyeworks.com> > > >> >> > Date: Tue Nov 2 20:18:22 2010 -0200 > > >> >> > Call as ERB::Util.html_escape since is not the module is not > > >> >> included > > >> >> > here > > > >> >> > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> >> >> hi, > > >> >> >> I diff-ed 3.0.0 with 3.0.1 and I got this > > >> >> >> diff --git > > >> >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> index 142cd08..fb2118a 100644 > > >> >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> @@ -17,7 +17,7 @@ module ActionDispatch > > >> >> >> # > > >> >> >> ...skipping... > > >> >> >> buffer = with_output_buffer { value = yield(*args) } > > >> >> >> if string = buffer.presence || value and string.is_a?(String) > > >> >> >> - NonConcattingString.new(string) > > >> >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) > > >> >> >> end > > >> >> >> end > > >> >> >> if I put bac k the NonConcattingString.new(string) it works (at least > > >> >> for > > >> >> >> me) > > >> >> >> don''t know the implications though, wdyt? > > >> >> >> jk > > >> >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > > >> >> >>> thanks for the "ping offer", I''ll let you know if anything, but I > > >> >> won''t > > >> >> >>> (can''t) be full time chasing the bug :-( > > >> >> >>> jk > > > >> >> >>> 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > > >> >> >>>> Great, ping me if I can help you. > > >> >> >>>> BTW did you tried 3-0-stable? > > > >> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > > >> >> >>>> <joahk...@gmail.com> wrote: > > >> >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > > >> >> >>>> > ok is 3.0.1, will keep digging then > > >> >> >>>> > jk > > > >> >> >>>> > 2011/2/9 Brian Morearty <bmorea...@gmail.com> > > > >> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this > > >> >> morning. I > > >> >> >>>> >> didn''t have a chance to debug it so for the moment I went back to > > >> >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything > > >> >> on > > >> >> >>>> >> this list. > > > >> >> >>>> >> I have a helper function that returns an HTML string. The function > > >> >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > > >> >> 3.0.4 > > >> >> >>>> >> it is being escaped in the output. > > > >> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > > >> >> it) > > >> >> >>>> >> but to no avail. > > > >> >> >>>> >> I was not able to reproduce it in a simple case though, even in > > >> >> very > > >> >> >>>> >> same function. > > > >> >> >>>> >> Brian > > > >> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> > > >> >> wrote: > > >> >> >>>> >> > hello, > > >> >> >>>> >> > I have today updated my rails app to 3.0.4 security release but > > >> >> now > > >> >> >>>> >> > this > > > >> >> >>>> >> > yield :javascripts > > > >> >> >>>> >> > fails in the layout and I get my custom js escaped as text in > > >> >> the > > >> >> >>>> >> > view. > > > >> >> >>>> >> > anybody seeing this also? > > > >> >> >>>> >> > tia, > > >> >> >>>> >> > jk > > > >> >> >>>> >> > --www.least-significant-bit.com > > > >> >> >>>> >> -- > > >> >> >>>> >> You received this message because you are subscribed to the Google > > >> >> >>>> >> Groups > > >> >> >>>> >> "Ruby on Rails: Core" group. > > >> >> >>>> >> To post to this group, send email to > > >> >> >>>> >> rubyonrails-core@googlegroups.com. > > >> >> >>>> >> To unsubscribe from this group, send email to > > >> >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> >> For more options, visit this group at > > >> >> >>>> >>http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>>> > -- > > >> >> >>>> >www.least-significant-bit.com > > > >> >> >>>> > -- > > >> >> >>>> > You received this message because you are subscribed to the Google > > >> >> >>>> > Groups > > >> >> >>>> > "Ruby on Rails: Core" group. > > >> >> >>>> > To post to this group, send email to > > >> >> >>>> > rubyonrails-core@googlegroups.com. > > >> >> >>>> > To unsubscribe from this group, send email to > > >> >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> > For more options, visit this group at > > >> >> >>>> >http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>>> -- > > >> >> >>>> You received this message because you are subscribed to the Google > > >> >> >>>> Groups "Ruby on Rails: Core" group. > > >> >> >>>> To post to this group, send email to > > >> >> rubyonrails-core@googlegroups.com. > > >> >> >>>> To unsubscribe from this group, send email to > > >> >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> For more options, visit this group at > > >> >> >>>>http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>> -- > > ... > > read more »-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
whoops: https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions#ticket-6421-5 On Feb 12, 9:30 am, Brian Morearty <bmorea...@gmail.com> wrote:> Thanks, Santiago. I will submit a patch to deprecate the escape param/ > option. > > I''ve created a ticket to track it: > > https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6... > > Brian > > On Feb 12, 7:43 am, Santiago Pastorino <santi...@wyeworks.com> wrote: > > > Hey Brian, > > > I think we should remove the escape parameter at least herehttps://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450.... > > I haven''t checked it in other places but I that guess could be removed > > too, so if you want to go ahead do it and deprecate it for 3-0-stable. > > We should use html_safe when you need to not escape. > > > Best, > > Santiago. > > > On Thu, Feb 10, 2011 at 3:01 PM, Brian Morearty <bmorea...@gmail.com> wrote: > > > The change that Santiago mentioned (https://github.com/rails/rails/ > > > commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes > > > content_tag always to escape its output, even when the ''escape'' > > > parameter is set to false. However, from my experiments it seems the > > > ''escape'' parameter wasn''t working before the change either. Instead of > > > always escaping the output, content_tag was never escaping the output. > > > > In a 3.0.1 Rails project the output is never escaped but html_safe? > > > always returns true: > > > > rails console > > > Loading development environment (Rails 3.0.1) > > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' > > > end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > > end).html_safe? > > > => true > > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > > In a Rails 3.0.2 project the content is always escaped and html_safe? > > > always returns true: > > > > rails console > > > Loading development environment (Rails 3.0.2) > > > ruby-1.8.7-p330 :001 > helper.content_tag :div do ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :002 > (helper.content_tag :div do ''<b>hello</b>'' > > > end).html_safe? > > > => true > > > ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end > > > => "<div><b>hello</b></div>" > > > ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do > > > ''<b>hello</b>'' end).html_safe? > > > => true > > > > So at least in Rails 3.0.2 the html_safe? function is reporting the > > > truth. But content_tag escapes the output even when escape=false (see > > > the last two lines). > > > > I would submit a patch but I''m not sure what the right fix is. > > > > Brian Morearty > > > > On Feb 10, 5:36 am, Joaquin Rivera Padron <joahk...@gmail.com> wrote: > > >> you are totally right, I was missing a html_safe :-) > > > >> this is wrong as now: > > > >> content_for :js do > > >> <<JS > > >> <script type="text/javascript"> > > >> alert(''hello''); > > >> </script> > > >> JS > > >> end > > > >> this is ok: > > > >> js = <<JS > > >> <script type="text/javascript"> > > >> alert(''hello''); > > >> </script> > > >> JS > > > >> content_for :js do > > >> js.html_safe > > >> end > > > >> thanks a lot > > >> jk > > > >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> > I''ll check, thanks for the reply > > > >> > jk > > > >> > 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > > >> >> This commit > > >> >>https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfb... > > >> >> just changes from html_escape string to ERB::Util.html_escape(string) > > >> >> so both are calling the same method. > > > >> >> You''re talking about this one > > > >> >>https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d... > > >> >> and this fix a security issue. I''d say that you''re missing a html_safe > > >> >> some where. > > > >> >> On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > > >> >> <joahk...@gmail.com> wrote: > > > >> >> > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > > >> >> > Author: Santiago Pastorino <santi...@wyeworks.com> > > >> >> > Date: Tue Nov 2 20:18:22 2010 -0200 > > >> >> > Call as ERB::Util.html_escape since is not the module is not > > >> >> included > > >> >> > here > > > >> >> > 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> >> >> hi, > > >> >> >> I diff-ed 3.0.0 with 3.0.1 and I got this > > >> >> >> diff --git > > >> >> a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> index 142cd08..fb2118a 100644 > > >> >> >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > > >> >> >> @@ -17,7 +17,7 @@ module ActionDispatch > > >> >> >> # > > >> >> >> ...skipping... > > >> >> >> buffer = with_output_buffer { value = yield(*args) } > > >> >> >> if string = buffer.presence || value and string.is_a?(String) > > >> >> >> - NonConcattingString.new(string) > > >> >> >> + NonConcattingString.new(ERB::Util.html_escape(string)) > > >> >> >> end > > >> >> >> end > > >> >> >> if I put bac k the NonConcattingString.new(string) it works (at least > > >> >> for > > >> >> >> me) > > >> >> >> don''t know the implications though, wdyt? > > >> >> >> jk > > >> >> >> 2011/2/10 Joaquin Rivera Padron <joahk...@gmail.com> > > > >> >> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > > >> >> >>> thanks for the "ping offer", I''ll let you know if anything, but I > > >> >> won''t > > >> >> >>> (can''t) be full time chasing the bug :-( > > >> >> >>> jk > > > >> >> >>> 2011/2/10 Santiago Pastorino <santi...@wyeworks.com> > > > >> >> >>>> Great, ping me if I can help you. > > >> >> >>>> BTW did you tried 3-0-stable? > > > >> >> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > > >> >> >>>> <joahk...@gmail.com> wrote: > > >> >> >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > > >> >> >>>> > ok is 3.0.1, will keep digging then > > >> >> >>>> > jk > > > >> >> >>>> > 2011/2/9 Brian Morearty <bmorea...@gmail.com> > > > >> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this > > >> >> morning. I > > >> >> >>>> >> didn''t have a chance to debug it so for the moment I went back to > > >> >> >>>> >> 3.0.1. I wasn''t sure if it was my doing so I didn''t say anything > > >> >> on > > >> >> >>>> >> this list. > > > >> >> >>>> >> I have a helper function that returns an HTML string. The function > > >> >> >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > > >> >> 3.0.4 > > >> >> >>>> >> it is being escaped in the output. > > > >> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > > >> >> it) > > >> >> >>>> >> but to no avail. > > > >> >> >>>> >> I was not able to reproduce it in a simple case though, even in > > >> >> very > > >> >> >>>> >> same function. > > > >> >> >>>> >> Brian > > > >> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <joahk...@gmail.com> > > >> >> wrote: > > >> >> >>>> >> > hello, > > >> >> >>>> >> > I have today updated my rails app to 3.0.4 security release but > > >> >> now > > >> >> >>>> >> > this > > > >> >> >>>> >> > yield :javascripts > > > >> >> >>>> >> > fails in the layout and I get my custom js escaped as text in > > >> >> the > > >> >> >>>> >> > view. > > > >> >> >>>> >> > anybody seeing this also? > > > >> >> >>>> >> > tia, > > >> >> >>>> >> > jk > > > >> >> >>>> >> > --www.least-significant-bit.com > > > >> >> >>>> >> -- > > >> >> >>>> >> You received this message because you are subscribed to the Google > > >> >> >>>> >> Groups > > >> >> >>>> >> "Ruby on Rails: Core" group. > > >> >> >>>> >> To post to this group, send email to > > >> >> >>>> >> rubyonrails-core@googlegroups.com. > > >> >> >>>> >> To unsubscribe from this group, send email to > > >> >> >>>> >> rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> >> For more options, visit this group at > > >> >> >>>> >>http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>>> > -- > > >> >> >>>> >www.least-significant-bit.com > > > >> >> >>>> > -- > > >> >> >>>> > You received this message because you are subscribed to the Google > > >> >> >>>> > Groups > > >> >> >>>> > "Ruby on Rails: Core" group. > > >> >> >>>> > To post to this group, send email to > > >> >> >>>> > rubyonrails-core@googlegroups.com. > > >> >> >>>> > To unsubscribe from this group, send email to > > >> >> >>>> > rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> > For more options, visit this group at > > >> >> >>>> >http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>>> -- > > >> >> >>>> You received this message because you are subscribed to the Google > > >> >> >>>> Groups "Ruby on Rails: Core" group. > > >> >> >>>> To post to this group, send email to > > >> >> rubyonrails-core@googlegroups.com. > > >> >> >>>> To unsubscribe from this group, send email to > > >> >> >>>> rubyonrails-core+unsubscribe@googlegroups.com. > > >> >> >>>> For more options, visit this group at > > >> >> >>>>http://groups.google.com/group/rubyonrails-core?hl=en. > > > >> >> >>> -- > > ... > > read more »-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.