This project is archived and is in readonly mode.
Problem with XSS escape in select_* (eg: select_month) helpers
Reported by Daniel Lopes | December 10th, 2009 @ 09:25 PM | in 2.3.10
I just tested the new Rails 2.3.5 with rails_xss plugin and it fail in select_* helpers. For now I just tested in select_month, select_year and select_day but probably this behavior is the same in select_seconds and select_minutes.
The problem is rails_xss doesn't work like other xss proof helper, and escape the options and select html tags generated by these helpers.
Comments and changes to this ticket
-
Michael Koziarski December 11th, 2009 @ 12:24 AM
- Tag set to xss
- Milestone set to 2.3.6
-
Martin Gamsjaeger (snusnu) June 3rd, 2010 @ 10:19 PM
I've also added this PATCH link to #4728 and #4762 . Not sure it applies to any or all of them, but I'm looking through tickets that seem somehow related. Here's a patch I needed to add to rails master to get (at least) the usage of #content_tag with a String as 2nd param working:
PATCH: http://github.com/snusnu/rails/commit/7f1b5bc6452cd1ca65dae3283c4af...
-
Jeremy Kemper August 30th, 2010 @ 02:28 AM
- Milestone changed from 2.3.9 to 2.3.10
- Importance changed from to Low
-
Santiago Pastorino February 2nd, 2011 @ 04:50 PM
- State changed from new to open
This issue has been automatically marked as stale because it has not been commented on for at least three months.
The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.
Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.
-
Santiago Pastorino February 2nd, 2011 @ 04:50 PM
- State changed from open to stale
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Referenced by
- 4768 [PATCH] Makes #content_tag_as_string respect the "escape" parameter on content I also commented with a link to this patch on #3559 #4728...