1 true 2008-07-23T15:02:25+01:00 26939 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 157 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-14T15:32:43+00:00 12160 Ryan McGeary sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x Problem with RailsSanitize.white_list_sanitizer.sanitize. Exemple : RailsSanitize.white_list_sanitizer.sanitize("<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>") is OK and gives "<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>" RailsSanitize.white_list_sanitizer.sanitize("<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>") is BAD and gives "<a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\">my link</a>" As I sanitize each time I save my model, rails sanitize each time "&" so string is growing every time. (&amp;amp;amp;amp;amp;...) Problem with RailsSanitize.white_list_sanitizer.sanitize. Exemple : RailsSanitize.white_list_sanitizer.sanitize("<a href=\"http://www.domain.com?var1=1&var2=2\">my link</a>") is OK and gives "<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>" RailsSanitize.white_list_sanitizer.sanitize("<a href=\"http://www.domain.com?var1=1&amp;var2=2\">my link</a>") is BAD and gives "<a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\">my link</a>" As I sanitize each time I save my model, rails sanitize each time "&" so string is growing every time. (&amp;amp;amp;amp;amp;...) <div><p> Problem with RailsSanitize.white_list_sanitizer.sanitize. </p><p> Exemple : </p><p> RailsSanitize.white_list_sanitizer.sanitize("my link") is OK and gives "my link" </p><p> RailsSanitize.white_list_sanitizer.sanitize("my link") is BAD and gives "my link" </p><p> As I sanitize each time I save my model, rails sanitize each time "&" so string is growing every time. (&amp;amp;amp;amp;amp;...) </p></div> 0 Problem with RailsSanitize.white_list_sanitizer.sanitize. Example : RailsSanitize.white_list_sanitizer.sanitize("&lt;a href=\"http://www.domain.com?var1=1&var2=2\"&gt;my link&lt;/a&gt;") is OK and gives "&lt;a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\"&gt;my link&lt;/a&gt;" RailsSanitize.white_list_sanitizer.sanitize("&lt;a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\"&gt;my link&lt;/a&gt;") is BAD and gives "&lt;a href=\"http://www.domain.com?var1=1&amp;amp;amp;var2=2\"&gt;my link&lt;/a&gt;" As I sanitize each time I save my model, rails sanitize each time "&" so string is growing every time. (&amp;amp;amp;amp;amp;...) Sorry for my english I am french ! <div><p> Problem with RailsSanitize.white_list_sanitizer.sanitize. </p><p> Example : </p><p> RailsSanitize.white_list_sanitizer.sanitize("&lt;a href=\"http://www.domain.com?var1=1&var2=2\"&gt;my link&lt;/a&gt;") is OK and gives "&lt;a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\"&gt;my link&lt;/a&gt;" </p><p> RailsSanitize.white_list_sanitizer.sanitize("&lt;a href=\"http://www.domain.com?var1=1&amp;amp;var2=2\"&gt;my link&lt;/a&gt;") is BAD and gives "&lt;a href=\"http://www.domain.com?var1=1&amp;amp;amp;var2=2\"&gt;my link&lt;/a&gt;" </p><p> As I sanitize each time I save my model, rails sanitize each time "&" so string is growing every time. (&amp;amp;amp;amp;amp;...) </p><p> Sorry for my english I am french ! </p></div> false 2008-07-23T15:14:21+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2008-07-23T15:14:21+01:00 26939 sauce sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 0 This [change set](http://github.com/antonmos/rails/commit/9a27a23d077dbdd3e29f8f1b57b6c04e04259151) fixes this issue <div><p>This <a href="http://github.com/antonmos/rails/commit/9a27a23d077dbdd3e29f8f1b57b6c04e04259151">change set</a> fixes this issue</p></div> false 2008-08-27T19:50:16+01:00 26939 --- :tag: "" 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-08-27T19:50:16+01:00 23995 antonmos sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 0 It seems not to be fixed. CGI.unescape does not know much named entities and character references over U+FFFF. <img alt="&#131072; is a &laquo;kanji&raquo;" ...> gives <img alt="&amp;#131072; is a &amp;laquo;kanji&amp;raquo;" ...> # U+20000 is valid character. # In category "CJK Unified Ideographs Extension B" GOOD result is: <img alt="&#131072; is a &laquo;kanji&raquo;" ...> or <img alt="&#131072; is a &#171;kanji&#187;" ...> or <img alt="? is a «kanji»" ...> <div><p>It seems not to be fixed. CGI.unescape does not know much named entities and character references over U+FFFF.</p> <p><img alt="&amp;amp;#131072; is a &amp;amp;laquo;kanji&amp;amp;raquo;"> gives <img alt="&amp;amp;amp;#131072; is a &amp;amp;amp;laquo;kanji&amp;amp;amp;raquo;"></p> <h1>U+20000 is valid character.</h1> <h1>In category "CJK Unified Ideographs Extension B"</h1> <p>GOOD result is: <img alt="&amp;amp;#131072; is a &amp;amp;laquo;kanji&amp;amp;raquo;"> or <img alt="&amp;amp;#131072; is a &amp;amp;#171;kanji&amp;amp;#187;"> or <img alt="? is a &amp;laquo;kanji&amp;raquo;"></p></div> false 2008-09-02T06:11:44+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize-2 0 8994 new 2.0-stable 2.1 patch sanitize 2008-09-02T06:11:44+01:00 30696 Tietew sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 0 Oops, tags are stripped... It seems not to be fixed. CGI.unescape does not know much named entities and character references over U+FFFF. @@@ html <img alt="&#131072; is a &laquo;kanji&raquo;" ...> gives <img alt="&amp;#131072; is a &amp;laquo;kanji&amp;raquo;" ...> @@@ # U+20000 is valid character. # In category "CJK Unified Ideographs Extension B" @@@ html GOOD result is: <img alt="&#131072; is a &laquo;kanji&raquo;" ...> or <img alt="&#131072; is a &#171;kanji&#187;" ...> or <img alt="? is a «kanji»" ...> @@@ <div><p>Oops, tags are stripped...</p> <p>It seems not to be fixed. CGI.unescape does not know much named entities and character references over U+FFFF.</p> <pre><code class="html"> &lt;img alt=&quot;&amp;#131072; is a &amp;laquo;kanji&amp;raquo;&quot; ...&gt; gives &lt;img alt=&quot;&amp;amp;#131072; is a &amp;amp;laquo;kanji&amp;amp;raquo;&quot; ...&gt; </code></pre> <p># U+20000 is valid character. # In category "CJK Unified Ideographs Extension B"</p> <pre><code class="html"> GOOD result is: &lt;img alt=&quot;&amp;#131072; is a &amp;laquo;kanji&amp;raquo;&quot; ...&gt; or &lt;img alt=&quot;&amp;#131072; is a &amp;#171;kanji&amp;#187;&quot; ...&gt; or &lt;img alt=&quot;? is a «kanji»&quot; ...&gt; </code></pre></div> false 2008-09-02T06:15:40+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize-3 0 8994 new 2.0-stable 2.1 patch sanitize 2008-09-02T06:15:40+01:00 30696 Tietew sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 0 +1 on antonmos's changes. Here's a formatted patch that incorporates the changes to comply with the Rails contribution guidelines. <div><p>+1 on antonmos's changes. Here's a formatted patch that incorporates the changes to comply with the Rails contribution guidelines.</p></div> false 2008-10-17T03:41:43+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-10-17T03:41:48+01:00 12160 Ryan McGeary sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 +1. This bug has burned me in my app. Patch works, tests passed. <div><ol> <li>This bug has burned me in my app.</li> </ol> <p>Patch works, tests passed.</p></div> false 2008-10-17T03:55:42+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-10-17T03:55:46+01:00 23189 Christopher Murphy sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 That should be +1. <div><p>That should be +1.</p></div> false 2008-10-17T03:56:11+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-10-17T03:56:12+01:00 23189 Christopher Murphy sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 +1 This bug has ruined my life. <div><p>+1 This bug has ruined my life.</p></div> false 2008-10-23T01:47:47+01:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-10-23T01:47:50+01:00 22386 Coderifous sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 +1 Patch works great for me. The problem Tietew mentions is a general problem with sanitize and not caused by the proposed patch. Any chance to get this into 2.2? <div><p>+1</p> <p>Patch works great for me. The problem Tietew mentions is a general problem with sanitize and not caused by the proposed patch.</p> <p>Any chance to get this into 2.2?</p></div> false 2008-11-06T11:17:23+00:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 new 2.0-stable 2.1 patch sanitize 2008-11-06T11:17:26+00:00 9088 theflow sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 (from [a358d87e16fa876de29286b69474ab6aaee4a80b]) Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed] http://github.com/rails/rails/commit/a358d87e16fa876de29286b69474ab6aaee4a80b <div><p>(from [a358d87e16fa876de29286b69474ab6aaee4a80b]) Fixed the sanitize helper to avoid double escaping already properly escaped entities [<a href="/projects/8994/tickets/683" title="Ticket #683">#683</a> state:committed] <a href="http://github.com/rails/rails/commit/a358d87e16fa876de29286b69474ab6aaee4a80b"> http://github.com/rails/rails/co...</a></p></div> true 2008-11-06T12:09:01+00:00 26939 --- :state: new 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-06T12:09:02+00:00 17393 Repository sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 (from [6406a87eedb74a41f19f5ad21ea1b8f97dd45755]) Fixed the sanitize helper to avoid double escaping already properly escaped entities [#683 state:committed] http://github.com/rails/rails/commit/6406a87eedb74a41f19f5ad21ea1b8f97dd45755 <div><p>(from [6406a87eedb74a41f19f5ad21ea1b8f97dd45755]) Fixed the sanitize helper to avoid double escaping already properly escaped entities [<a href="/projects/8994/tickets/683" title="Ticket #683">#683</a> state:committed] <a href="http://github.com/rails/rails/commit/6406a87eedb74a41f19f5ad21ea1b8f97dd45755"> http://github.com/rails/rails/co...</a></p></div> true 2008-11-06T12:09:01+00:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-06T12:09:04+00:00 17393 Repository sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 Sorry, I havn't tried it yet, but it sounds like a bad idea. Maybe as an option, disabled by default. But what, if the user wants to write &amp; or &auml; as a comment? As far as I understand, Rails will now ignore these entities and it will be displayed as & or ä. <div><p>Sorry, I havn't tried it yet, but it sounds like a bad idea. Maybe as an option, disabled by default.</p> <p>But what, if the user wants to write &amp; or &auml; as a comment? As far as I understand, Rails will now ignore these entities and it will be displayed as &amp; or &auml;.</p></div> true 2008-11-14T15:15:20+00:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-14T15:15:25+00:00 18453 iGEL sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 If you want a demonstration of the problem, look above. Of course I wanted to write & a m p ; and & a u m l; without spaces (I try double escaping: &amp;amp; &amp;auml;). What the user enters should be displayed, he shouldn't care about entities and everything... <div><p>If you want a demonstration of the problem, look above. Of course I wanted to write &amp; a m p ; and &amp; a u m l; without spaces (I try double escaping: &amp;amp; &amp;auml;). What the user enters should be displayed, he shouldn't care about entities and everything...</p></div> true 2008-11-14T15:20:48+00:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-14T15:20:53+00:00 18453 iGEL sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 1 iGEL, I disagree. The purpose of the sanitize method is to sanitize HTML input. The ampersand entities are valid HTML. When displayed, they should display the entities they represent, not the literal codes. In other words, you should expect [& a m p ;] to be displayed as an ampersand. Just like an html tag shouldn't be escaped to it's lt and gt entities, entities themselves should not be escaped either. <div><p>iGEL, I disagree. The purpose of the sanitize method is to sanitize HTML input. The ampersand entities are valid HTML. When displayed, they should display the entities they represent, not the literal codes.</p> <p>In other words, you should expect [&amp; a m p ;] to be displayed as an ampersand. Just like an html tag shouldn't be escaped to it's lt and gt entities, entities themselves should not be escaped either.</p></div> true 2008-11-14T15:32:39+00:00 26939 --- {} 9903 683 problem-with-railssanitize-white_list_sanitizer-sanitize 0 8994 committed 2.0-stable 2.1 patch sanitize 2008-11-14T15:32:43+00:00 12160 Ryan McGeary sauce http://rails.lighthouseapp.com/projects/8994/tickets/683 2.x 2c15f2776769ac52e8781275656d11e56b39ed93 text/plain 2008-10-17T03:41:43+01:00 ticket_683.diff 54788 1946 12160 http://rails.lighthouseapp.com/attachments/54788/ticket_683.diff