Escaping is being done on static HTML in results of <%= cache... %> calls and tabnav plugin output #11
Comments
|
the cache case looks like it could be a bug Could you paste the implementation of your tab / flash helpers into a gist for me to take a look at? That's either a bug in rails_xss or a change you need to make to your code. |
|
Here's the gist: http://gist.github.com/286289 It looks like I need to call raw in front of each of these, as in: <%= raw show_flash... %> |
|
Yes, you'll need to either call raw in your views, or modify your helpers to pre-mark those strings as safe. e.g.
A String is considered safe ONLY if we're told it's safe, we don't try to guess based on the content as this is likely to lead to security bugs. We've made efforts to ensure that all helpers which use the built-in tag helpers will be 'magically' safe, but for your kind of helpers where you're manipulating big strings, you'll have to do the marking yourself However the cache case seems like it should work out of the box. |
|
Many thanks. BTW, I think this is a great feature to add to the default set of features in Rails 3. |
|
Yes, it's already been included ;) |
Fix escape_javascript to support SafeBuffer strings
Rails 2.3.5
I installed this plugin and saw most of my page start displaying HTML source. It appears that the static HTML in the output of a call like:
<% cache "header-#{current_user.id}", 1.day.from_now do -%>
<%= render :partial => '/layouts/header' %>
<% end -%>
or
<%= start_tabnav :customer %>
<%= show_flash(:success) %>
<%= show_flash(:notice) %>
<%= show_flash(:error) %>
<%= yield %>
<%= end_tabnav %>
is being escaped, thus showing up as raw text in the browser.
The text was updated successfully, but these errors were encountered: