#3518 Link_to doesn't escape its input - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#3518 ✓wontfix

Link_to doesn't escape its input

Reported by Bruno Michel | November 29th, 2009 @ 02:16 PM | in 3.0.2

Hi,

The link_to helper doesn't escape its first argument.

Ryan Bates has made a bug report on github for the Rails-XSS plugin (http://github.com/NZKoz/rails_xss/issues#issue/1), but I think that this problem should be fixed in Rails itself. I've attached a patch to this ticket.

escape_link_to.diff 2 KB

Comments and changes to this ticket

Michael Koziarski November 30th, 2009 @ 08:35 PM
- Tag changed from “2-3-stable, patch, xss” to “patch, xss”
- Milestone cleared.
Can't apply this to 2-3-stable as it'll break people's apps who have already added h() calls, we can fix it in master though where h() is idempotent.
You flagged this item as spam.
Jared Fine December 1st, 2009 @ 03:30 AM
I agree with Bruno and Ryan, the way it currently functions seems backwards. To wrap raw html with a link seems much more the exception rather than the rule. There aren't even that many legal html elements you can have inside of an anchor. Ideally link_to (and related helpers, button_to, etc) should escape the first argument by default and allow override by passing an option such as :raw => true.
You flagged this item as spam.
Bruno Michel February 6th, 2010 @ 09:11 PM
This bug is not present in Rails 3. The ticket can be closed if the patch won't be applied in Rails 2.3.
You flagged this item as spam.
kevmoo February 7th, 2010 @ 07:50 AM
This should be fixed in the 2.3 track.

It's totally broken and I'm guessing 2.3 is not dying when 3.0 ships.

Right?
You flagged this item as spam.
trevor February 8th, 2010 @ 05:58 AM
re:

There aren't even that many legal html elements you can have inside of an anchor.

html5 changes this, from http://meyerweb.com/eric/html-xhtml/html5-linking.html -

"Change a so that it can wrap around any arbitrary collection of elements"

from http://www.whatwg.org/specs/web-apps/current-work/multipage/text-le... -
```
 <a href="http://ad.example.com/?adid=1929&amp;pubid=1422">
  <section>
   <h1>Mellblomatic 9000!</h1>
   <p>Turn all your widgets into mellbloms!</p>
   <p>Only $9.99 plus shipping and handling.</p>
  </section>
 </a>
```
Santiago Pastorino March 8th, 2010 @ 03:48 AM
- State changed from “new” to “wontfix”
On 3.0 is working that way.
It's automatically escaped because you start with a SafeBuffer and the output builder concat with the SafeBuffer he manages using this method from SafeBuffer
```
module ActiveSupport #:nodoc:
  class SafeBuffer < String
    def concat(value)
      if value.html_safe?
        super(value)
      else
        super(ERB::Util.h(value))
      end
    end
    alias << concat
  end
end
```
What thing you're saying that's not working?
Did you try the latest version of 2-3-stable with http://github.com/rails/rails_xss
You flagged this item as spam.
Bruno Michel March 8th, 2010 @ 08:25 PM
It works fine for Rails 2.3 with Rails XSS. The problem was fixed the 18th february by DHH himself with this commit http://github.com/dhh/rails_xss/commit/afc1610fe4b94150faee98c16f15....
Jeremy Kemper October 15th, 2010 @ 11:01 PM
- Milestone set to “3.0.2”
- Importance changed from “” to “”
[bulk edit]