This project is archived and is in readonly mode.

#3794 ✓stale
Marcel Jackwerth

Translations with interpolated strings (not html_safe)

Reported by Marcel Jackwerth | January 27th, 2010 @ 10:06 AM

In #3401 (and commit http://github.com/rails/rails/commit/2675e4ef83b2a0fb38f01140d65fbd... ) the translate helper is assumed to return a html_safe string. But now the following code will result in a XSS vulnerability:

<%= t(:greeting, :name => @user.name) %>

Comments and changes to this ticket

  • Rohit Arondekar

    Rohit Arondekar October 8th, 2010 @ 02:31 AM

    • State changed from “new” to “stale”
    • Importance changed from “” to “Low”

    Marking ticket as stale. If this is still an issue please leave a comment with suggested changes, creating a patch with tests, rebasing an existing patch or just confirming the issue on a latest release or master/branches.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages