This project is archived and is in readonly mode.
Button_to does not return an HTML-safe string
Reported by Bruno Michel | November 1st, 2009 @ 12:45 PM | in 2.3.6
In the 2-3-stable branch, the button_to helper does not return a string marked as safe. I've made a small patch to fix it.
Comments and changes to this ticket
-
Bruno Michel November 1st, 2009 @ 01:08 PM
- Tag changed from “2-3-stable, xss” to “2-3-stable, patch, xss”
-
-
Michael Koziarski November 30th, 2009 @ 08:36 PM
- Milestone set to “2.3.6”
-
Santiago Pastorino March 8th, 2010 @ 08:56 PM
- State changed from “new” to “open”
Yes, you're right Bruno.
First of all can you provide a failing test case?, and must say that your patch is wrong you're not on the current 2-3-stable branch.The actual code is:
"<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + method_tag + tag("input", html_options) + request_token_tag + "</div></form>".html_safeand should be:
("<form method=\"#{form_method}\" action=\"#{escape_once url}\" class=\"button-to\"><div>" + method_tag + tag("input", html_options) + request_token_tag + "</div></form>").html_safenot that is html_safe not html_safe!
-
Bruno Michel March 8th, 2010 @ 10:06 PM
and must say that your patch is wrong you're not on the current 2-3-stable branch.
Hey, I was on the 2-3-stable when I created the patch in October last year ;-) But html_safe! has been deprecated in favor of html_safe since (in January IIRC).
First of all can you provide a failing test case?
Sure, I've attached the new patch with a unit test.
-
Bruno Michel March 8th, 2010 @ 10:06 PM
and must say that your patch is wrong you're not on the current 2-3-stable branch.
Hey, I was on the 2-3-stable when I created the patch in October last year ;-) But html_safe! has been deprecated in favor of html_safe since (in January IIRC).
First of all can you provide a failing test case?
Sure, I've attached the new patch with a unit test.
-
Bruno Michel March 8th, 2010 @ 10:08 PM
Hum, it looks like lighthouse has buged, and my last comment and patch were posted two times.
-
Santiago Pastorino March 9th, 2010 @ 11:12 PM
- State changed from “open” to “verified”
-
Santiago Pastorino March 22nd, 2010 @ 01:56 AM
- State changed from “verified” to “committed”
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Bruno Michel
Michael Koziarski
Santiago Pastorino
Attachments
Tags
Referenced by
-
3018
Introduce notion of 'html_safe?' to Strings in preparation for on-by-default XSS
This was committed as in #3448.
-
3018
Introduce notion of 'html_safe?' to Strings in preparation for on-by-default XSS
I was advised to create a new ticket for this bug to help...
-
3785
Content_tag_string Sanitizes Possibly Unsafe HTML
This ticket is related to the ongoing work on HTML safe s...