#4669 ERB monkypatch creates incompatibilities - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4669 ✓duplicate

ERB monkypatch creates incompatibilities

Reported by nex3 | May 23rd, 2010 @ 11:59 AM | in 2.3.7

In 2.3.6, ERB is monkeypatched rather than subclassed to use ActiveSupport::SafeBuffer. This breaks any libraries that are using ERB and expecting it to work with a plain string. One such use is Haml's :erb filter, which integrates the ERB-compiled Ruby into the Haml-compiled Ruby, and breaks when ERB tries to call #safe_concat on a plain string.

Why is ERB being monkeypatched in the first place? I was under the impression that Erubis was used for XSS-safety. This monkeypatch doesn't exist in the master branch. I suggest removing it entirely. If removal isn't an option, subclass before you change the behavior of a class.

Comments and changes to this ticket

Jeremy Kemper May 23rd, 2010 @ 05:58 PM
- Milestone set to “2.3.7”
- State changed from “new” to “open”
- Assigned user set to “Santiago Pastorino”
For forward compatibility with Rails 3. Everything supports the html-safety machinery out of the box, but it's turned off by default. You install the rails_xss plugin to enable.

Reopening ERB directly is unnecessary.
Santiago Pastorino May 23rd, 2010 @ 06:08 PM
- Milestone changed from “2.3.7” to “2.3.6”
- Assigned user cleared.
Santiago Pastorino May 23rd, 2010 @ 06:10 PM
- Milestone changed from “2.3.6” to “2.3.7”
ohh sorry i did this before reloading
You flagged this item as spam.
nex3 May 23rd, 2010 @ 09:30 PM
- Tag changed from “2.3.6, xss” to “2, xss”
How does monkeypatching ERB create forwards compatibility? Rails 3 doesn't monkeypatch ERB. ERB isn't used for html-safety... that's all Erubis. What reason could there possibly be for modifying ERB?
Jeremy Kemper May 23rd, 2010 @ 09:57 PM
- State changed from “open” to “duplicate”
#4034
You flagged this item as spam.
Andrea Campi October 16th, 2010 @ 11:41 PM
- Tag changed from “2, xss” to “2-3-stable, xss”
- Importance changed from “” to “High”