Hi, Can somebody update me on the state of html_safe strings in rails 2.3.8? I know rails 2.3.6 and 2.3.7 broke a lot of code because strings were being escaped when they shouldn''t have been and I thought this was all fixed in 2.3.8. I''m upgrading an app from 2.3.5 to 2.3.8 and there are many spots where previous code was output correctly and now it expects html_safe method calls to properly escape the strings. Are those who don''t want to use the new escaping behaviour in the 2.3.x branch expected to stick with 2.3.5 from now on moving forward? Thanks, Andrew -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
I just hit a similar problem where I was concatenating strings with escapable characters within a formbuilder. I googled about and there seems to be a some logic being discussed that anything that is "magic security" is going to be a nightmare. My problems were quite isolated (the great thing about form builders) What was: ''<a id="'' + field_name.to_s + ''-help" href="#" class="tooltip" title="'' + help + ''">'' Turned into ''<a id="''.html_safe + field_name.to_s + ''-help" href="#" class="tooltip" title="''.html_safe + help + ''">''.html_safe I am sure there are other ways but this seemed the easiest for me for string concatenation. O. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Andrew Kaspick wrote:> I''m upgrading an app from 2.3.5 to 2.3.8 and there are many spots where > previous code was output correctly and now it expects html_safe method > calls to properly escape the strings. Are those who don''t want to use > the new escaping behaviour in the 2.3.x branch expected to stick with > 2.3.5 from now on moving forward?I haven''t yet done the conversion of my 2.3.5 app to 2.3.8, will hopefully do so soon. I intend to do this as a first step in preparing it for Rails 3. However, as I understand it nothing should change in the escaping unless you install the rails_xss. In fact that was the problem with 2.3.6 & 2.3.7. Version 2.3.6 introduced a problem discovered by the HAML guys, and 2.3.7 was a hasty fix for that, which broken stuff for everyone else. Version 2.3.8 was supposed to get things back to normal. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Walker wrote:> Andrew Kaspick wrote: >> I''m upgrading an app from 2.3.5 to 2.3.8 and there are many spots where >> previous code was output correctly and now it expects html_safe method >> calls to properly escape the strings. Are those who don''t want to use >> the new escaping behaviour in the 2.3.x branch expected to stick with >> 2.3.5 from now on moving forward? > > I haven''t yet done the conversion of my 2.3.5 app to 2.3.8, will > hopefully do so soon. I intend to do this as a first step in preparing > it for Rails 3. However, as I understand it nothing should change in the > escaping unless you install the rails_xss. > > In fact that was the problem with 2.3.6 & 2.3.7. Version 2.3.6 > introduced a problem discovered by the HAML guys, and 2.3.7 was a hasty > fix for that, which broken stuff for everyone else. Version 2.3.8 was > supposed to get things back to normal.Exactly. I''m not using the rails_xss plugin, but the escaping rules are not as they were in 2.3.5. String literals were "safe" in 2.3.5, but aren''t in 2.3.8... a minor difference with huge implications. I was looking at hacking the rails code to fix this for my local app, but wasn''t sure why this would even still be a problem for 2.3.8 when this release was supposed to "fix" the fiasco that was 2.3.6 and 2.3.7. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Andrew Kaspick wrote:> Exactly. I''m not using the rails_xss plugin, but the escaping rules are > not as they were in 2.3.5. String literals were "safe" in 2.3.5, but > aren''t in 2.3.8... a minor difference with huge implications.I created a quick-n-dirty test app. See the result here: http://www.ruby-forum.com/topic/214314#new -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Robert Walker wrote:> Andrew Kaspick wrote: >> Exactly. I''m not using the rails_xss plugin, but the escaping rules are >> not as they were in 2.3.5. String literals were "safe" in 2.3.5, but >> aren''t in 2.3.8... a minor difference with huge implications. > > I created a quick-n-dirty test app. See the result here: > > http://www.ruby-forum.com/topic/214314#new2.3.8 should not require the use of "raw" to do what worked out of the box in 2.3.5 and every release before that if rails_xss is not installed. 2.3.8>> " ".html_safe? => false That result right there is why "raw" would be required now in 2.3.8 and not in 2.3.5. String literals in 2.3.8 should not be false... in rails 3 though that is correct and the expected result. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Andrew Kaspick wrote:> Robert Walker wrote: >> Andrew Kaspick wrote: >>> Exactly. I''m not using the rails_xss plugin, but the escaping rules are >>> not as they were in 2.3.5. String literals were "safe" in 2.3.5, but >>> aren''t in 2.3.8... a minor difference with huge implications. >> >> I created a quick-n-dirty test app. See the result here: >> >> http://www.ruby-forum.com/topic/214314#new > > 2.3.8 should not require the use of "raw" to do what worked out of the > box in 2.3.5 and every release before that if rails_xss is not > installed. > > 2.3.8>> " ".html_safe? > => false > > That result right there is why "raw" would be required now in 2.3.8 and > not in 2.3.5. String literals in 2.3.8 should not be false... in rails > 3 though that is correct and the expected result.There are other changes in 2.3.8 that are the cause of the escaping issues, but at the moment my app is not upgradeable to 2.3.8. I just wanted to know if others are having this issue, and it sounds like people are, but I''m still not sure if this is a bug or if this is the expected behviour for 2.3.8. If this is expected behaviour for 2.3.8 then this should not have been in a "minor" point release and instead saved for a 2.4 release or something. Quite disappointing. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Andrew Kaspick wrote:> I just wanted to know if others are having this issue, and it sounds > like people are, but I''m still not sure if this is a bug or if this is > the expected behviour for 2.3.8. If this is expected behaviour for > 2.3.8 then this should not have been in a "minor" point release and > instead saved for a 2.4 release or something. Quite disappointing.I don''t know, but my quick test was really quite simple and certainly didn''t present the behavior I would have expected from a Rails 2.3.x application: welcome_helper ------------------------ def gotcha_helper content_tag(:script, "alert(''Gotcha!'')") end index.html.erb ------------------------ <%= h gotcha_helper %> Generated HTML - Rails 2.3.8 ------------------------ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title>untitled</title> </head> <body> <script>alert(''Gotcha!'')</script> </body> </html> Obviously not escaping is being done here and I see a JS alert dialog. Rails 2.3.5 HTML (in question) ------------------------ <script>alert(''Gotcha!'')</script> All else being equal I''d call this a bug, but that''s just me. Maybe I''m missing something obvious. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.