This project is archived and is in readonly mode.

#4670 ✓invalid
nex3

Helpers use safe_concat rather than marking strings as html_safe

Reported by nex3 | May 23rd, 2010 @ 12:17 PM | in 2.3.6

The #concat and #cache helpers in Rails 2.3.6 call output_buffer#safe_concat rather than calling output_buffer#concat and passing in an html_safe string. This is a major compatibility issue for alternate templating engines: Haml, for instance, uses a plain String as output_buffer, and handles XSS-escaping elsewhere. Rails should never assume that output_buffer is a SafeBuffer.

This patch on my Rails fork fixes the issue.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Tags

Pages