This project is archived and is in readonly mode.
Helpers use safe_concat rather than marking strings as html_safe
Reported by nex3 | May 23rd, 2010 @ 12:17 PM | in 2.3.6
The #concat and #cache helpers in
Rails 2.3.6 call output_buffer#safe_concat rather than
calling output_buffer#concat and passing in an
html_safe string. This is a major compatibility issue
for alternate templating engines: Haml, for instance, uses a plain
String as output_buffer, and handles
XSS-escaping elsewhere. Rails should never assume that
output_buffer is a SafeBuffer.
This patch on my Rails fork fixes the issue.
Comments and changes to this ticket
-
Santiago Pastorino May 23rd, 2010 @ 05:11 PM
- Milestone set to “2.3.6”
- State changed from “new” to “open”
I think a lot of fixes from master weren't backported
-
Santiago Pastorino May 23rd, 2010 @ 05:32 PM
- State changed from “open” to “invalid”
output_buffer is always a SafeBuffer, the rest of the template engines should use this if not this templates aren't safe.
I'm opening a new ticket with a fragment_for backport. -
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Jeremy Kemper
nex3
Santiago Pastorino