Hey all, Just wondering if there is any reason that the new XSS safety code in 2.3.7 is escaping my partials. That don''t seem right! I''ve overcome it temporarily by throwing in a "raw" like this: <%= render raw :partial => ''mypartial'' %> It''s also escaping any inline <SCRIPT> tags in the templates. (This may be by design, I dunno.) In advance of some responses that might come from this question, I''ve already read the update I''ve copied below and don''t think it applies here since I installed the rails_xss plugin. TIA, Dee "Update: fixing compatibility with the rails_xss plugin broke HTML- safety for apps that don’t use rails_xss. We’re sorry, all: HTML- safety is meant to be opt-in! The fix is available now in 2.3.8.pre1 and will be released shortly." -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Sorry, I had a little typo in my code. That should read: <%= raw render :partial => ''mypartial'' %> (Note the order in which raw is called.) On May 24, 8:38 pm, Dee <dger...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Hey all, > > Just wondering if there is any reason that the new XSS safety code in > 2.3.7 is escaping my partials. That don''t seem right! > > I''ve overcome it temporarily by throwing in a "raw" like this: > <%= render raw :partial => ''mypartial'' %> > > It''s also escaping any inline <SCRIPT> tags in the templates. (This > may be by design, I dunno.) > > In advance of some responses that might come from this question, I''ve > already read the update I''ve copied below and don''t think it applies > here since I installed the rails_xss plugin. > > TIA, > Dee > > "Update: fixing compatibility with the rails_xss plugin broke HTML- > safety for apps that don’t use rails_xss. We’re sorry, all: HTML- > safety is meant to be opt-in! The fix is available now in 2.3.8.pre1 > and will be released shortly." > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/rubyonrails-talk?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mon, May 24, 2010 at 5:38 PM, Dee <dgerton-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Just wondering if there is any reason that the new XSS safety code in > 2.3.7 is escaping my partials. That don''t seem right!Definitely not right! Are you using the latest rails_xss plugin from http://github.com/rails/rails_xss ? jeremy -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Yes,. I installed it yesterday after 2.3.7 because it was recommended. I have since upgraded to 2.3.8.pre1 (which still reports it is 2.3.7 btw) and get similar results as before. I have since noticed it not all of the partials that are getting escaped, just the ones being called inside a content_for block. Easy repro. That might be the key, eh? It still doesn''t seem right. On May 24, 11:51 pm, Jeremy Kemper <jer...-w7CzD/W5Ocjk1uMJSBkQmQ@public.gmane.org> wrote:> On Mon, May 24, 2010 at 5:38 PM, Dee <dger...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > Just wondering if there is any reason that the new XSS safety code in > > 2.3.7 is escaping my partials. That don''t seem right! > > Definitely not right! Are you using the latest rails_xss plugin fromhttp://github.com/rails/rails_xss? > > jeremy > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group athttp://groups.google.com/group/rubyonrails-talk?hl=en.-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.