#4669 ERB monkypatch creates incompatibilities - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4669 ✓duplicate

ERB monkypatch creates incompatibilities

Reported by nex3 | May 23rd, 2010 @ 11:59 AM | in 2.3.7

In 2.3.6, ERB is monkeypatched rather than subclassed to use ActiveSupport::SafeBuffer. This breaks any libraries that are using ERB and expecting it to work with a plain string. One such use is Haml's :erb filter, which integrates the ERB-compiled Ruby into the Haml-compiled Ruby, and breaks when ERB tries to call #safe_concat on a plain string.

Why is ERB being monkeypatched in the first place? I was under the impression that Erubis was used for XSS-safety. This monkeypatch doesn't exist in the master branch. I suggest removing it entirely. If removal isn't an option, subclass before you change the behavior of a class.

Comments and changes to this ticket

Jeremy Kemper May 23rd, 2010 @ 05:58 PM
- Milestone set to “2.3.7”
- State changed from “new” to “open”
- Assigned user set to “Santiago Pastorino”
For forward compatibility with Rails 3. Everything supports the html-safety machinery out of the box, but it's turned off by default. You install the rails_xss plugin to enable.

Reopening ERB directly is unnecessary.
Santiago Pastorino May 23rd, 2010 @ 06:08 PM
- Milestone changed from “2.3.7” to “2.3.6”
- Assigned user cleared.
Santiago Pastorino May 23rd, 2010 @ 06:10 PM
- Milestone changed from “2.3.6” to “2.3.7”
ohh sorry i did this before reloading
You flagged this item as spam.
nex3 May 23rd, 2010 @ 09:30 PM
- Tag changed from “2.3.6, xss” to “2, xss”
How does monkeypatching ERB create forwards compatibility? Rails 3 doesn't monkeypatch ERB. ERB isn't used for html-safety... that's all Erubis. What reason could there possibly be for modifying ERB?
Jeremy Kemper May 23rd, 2010 @ 09:57 PM
- State changed from “open” to “duplicate”
#4034
You flagged this item as spam.
Andrea Campi October 16th, 2010 @ 11:41 PM
- Tag changed from “2, xss” to “2-3-stable, xss”
- Importance changed from “” to “High”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

Rails Ruby on Rails → 2.3.7

ERB monkypatch creates incompatibilities

Comments and changes to this ticket

Jeremy Kemper May 23rd, 2010 @ 05:58 PM

Santiago Pastorino May 23rd, 2010 @ 06:08 PM

Santiago Pastorino May 23rd, 2010 @ 06:10 PM

nex3 May 23rd, 2010 @ 09:30 PM

Jeremy Kemper May 23rd, 2010 @ 09:57 PM

Andrea Campi October 16th, 2010 @ 11:41 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages

Rails Ruby on Rails → 2.3.7

Keyword searching

ERB monkypatch creates incompatibilities

Comments and changes to this ticket

Jeremy Kemper May 23rd, 2010 @ 05:58 PM

Santiago Pastorino May 23rd, 2010 @ 06:08 PM

Santiago Pastorino May 23rd, 2010 @ 06:10 PM

nex3 May 23rd, 2010 @ 09:30 PM

Jeremy Kemper May 23rd, 2010 @ 09:57 PM

Andrea Campi October 16th, 2010 @ 11:41 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages