#4681 over-escaping of content_for in 2.3.7 - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4681 ✓resolved

over-escaping of content_for in 2.3.7

Reported by James Healy | May 24th, 2010 @ 05:05 PM | in 2.3.8

In 2.3.7 (and not 2.3.6) content passed from my view to the layout via a content_for block is being over-escaped. I am not using the rails_xss plugin yet.

Given a view that looks like (also available in a gist @ http://gist.github.com/411971):

<%content_for :sidebar do %>
  <h2>Sidebar</h2>
  <p><%=link_to "somewhere", "http://www.google.com/"%></p>
<% end %>

<h1>Main Heading</h1>

And a layout like:

<html>
  <head>
    <title>boo</title>
  </head>
  <body>
    <div id="sidebar">
      <%= yield :sidebar%>
    </div>
    <div id="content">
      <%= yield %>
    </div>
  </body>
</html>

I get the following output:

<html>
  <head>
    <title>boo</title>
  </head>
  <body>
    <div id="sidebar">
      
  &lt;h2&gt;Sidebar&lt;/h2&gt;

  &lt;p&gt;<a href="http://www.google.com/">somewhere</a>&lt;/p&gt;

    </div>
    <div id="content">
      

<h1>Main Heading</h1>

    </div>
  </body>

</html>

Comments and changes to this ticket

You flagged this item as spam.
Uģis Ozols May 24th, 2010 @ 05:56 PM
I believe this is the fix for this issue - http://github.com/rails/rails/commit/c66013e2c5dc77e9bfa06111fb8841...
Jeremy Kemper May 24th, 2010 @ 06:39 PM
- Milestone set to “2.3.8”
- State changed from “new” to “resolved”
You flagged this item as spam.
Matthew Horan May 25th, 2010 @ 04:11 PM
This seems to still be an issue. See the comments at http://weblog.rubyonrails.org/2010/5/25/ruby-on-rails-2-3-8-released. When concatenating HTML on to the end of HTML generated by, e.g. FormBuilder, the concatenated HTML is escaped. This was not the behavior with releases <= 2.3.5 (not sure about 2.3.6.)
You flagged this item as spam.
James Healy May 26th, 2010 @ 01:42 AM
the content_for issue was resolved in 2.3.8, but I'm still getting the same issue as Matthew when concatenating strings in form builders.

I haven't tested yet, but it looks like it might've been fixed as part of ticket #4695

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

Rails Ruby on Rails → 2.3.8

over-escaping of content_for in 2.3.7

Comments and changes to this ticket

Uģis Ozols May 24th, 2010 @ 05:56 PM

Jeremy Kemper May 24th, 2010 @ 06:39 PM

Matthew Horan May 25th, 2010 @ 04:11 PM

James Healy May 26th, 2010 @ 01:42 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages

Rails Ruby on Rails → 2.3.8

Keyword searching

over-escaping of content_for in 2.3.7

Comments and changes to this ticket

Uģis Ozols May 24th, 2010 @ 05:56 PM

Jeremy Kemper May 24th, 2010 @ 06:39 PM

Matthew Horan May 25th, 2010 @ 04:11 PM

James Healy May 26th, 2010 @ 01:42 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages