#5099 :include_blank and :prompt options for #select not HTML safe - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#5099 ✓resolved

:include_blank and :prompt options for #select not HTML safe

Reported by John Firebaugh | July 12th, 2010 @ 08:36 PM | in 3.x

String options :include_blank and :prompt options are not HTML-escaped or checked for safety before being concatenated with markup.

select("post", "person_id", Person.all.collect {|p| [ p.name, p.id ] }, {:include_blank => '<None>'})

produces:

<select name="post[person_id]">
     <option value=""><None></option>
     <option value="1">David</option>
     <option value="2" selected="selected">Sam</option>
     <option value="3">Tobias</option>
</select>

It should produce:

<select name="post[person_id]">
     <option value="">&lt;None&gt;</option>
     <option value="1">David</option>
     <option value="2" selected="selected">Sam</option>
     <option value="3">Tobias</option>
</select>

Comments and changes to this ticket

Rohit Arondekar July 13th, 2010 @ 01:30 PM
- Milestone set to “3.x”
- State changed from “new” to “open”
- Tag set to “actionpack, formtaghelper, select”
- Importance changed from “” to “Low”
Can you write a failing test and a patch?
You flagged this item as spam.
Ivan Torres (mexpolk) July 13th, 2010 @ 04:11 PM
- Tag changed from “actionpack, formtaghelper, select” to “actionpack, formoptionshelper, grouped_options_for_select, select”
confirmed... here's the patch
- ticket_5099.diff 1.9 KB
Rohit Arondekar July 14th, 2010 @ 01:27 AM
The change looks good but you'll need to add a failing test too.
You flagged this item as spam.
Ivan Torres (mexpolk) July 14th, 2010 @ 07:27 AM
ready! added failing tests
- ticket_5099.diff 4.5 KB
Rohit Arondekar July 14th, 2010 @ 12:36 PM
- Assigned user set to “José Valim”
Repository July 18th, 2010 @ 10:36 AM
- State changed from “open” to “resolved”
(from [cdfa11409c6196d35e890cf1766e1e2cc6f3d7d7]) select :include_blank or :prompt should return escaped string [#5099 state:resolved]

Signed-off-by: José Valim jose.valim@gmail.com
http://github.com/rails/rails/commit/cdfa11409c6196d35e890cf1766e1e...

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

ticket_5099.diff 1.9 KB
ticket_5099.diff 4.5 KB

Referenced by

5099 :include_blank and :prompt options for #select not HTML safe (from [cdfa11409c6196d35e890cf1766e1e2cc6f3d7d7]) select ...

Rails Ruby on Rails → 3.x

:include_blank and :prompt options for #select not HTML safe

Comments and changes to this ticket

Rohit Arondekar July 13th, 2010 @ 01:30 PM

Ivan Torres (mexpolk) July 13th, 2010 @ 04:11 PM

Rohit Arondekar July 14th, 2010 @ 01:27 AM

Ivan Torres (mexpolk) July 14th, 2010 @ 07:27 AM

Rohit Arondekar July 14th, 2010 @ 12:36 PM

Repository July 18th, 2010 @ 10:36 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages

Rails Ruby on Rails → 3.x

Keyword searching

:include_blank and :prompt options for #select not HTML safe

Comments and changes to this ticket

Rohit Arondekar July 13th, 2010 @ 01:30 PM

Ivan Torres (mexpolk) July 13th, 2010 @ 04:11 PM

Rohit Arondekar July 14th, 2010 @ 01:27 AM

Ivan Torres (mexpolk) July 14th, 2010 @ 07:27 AM

Rohit Arondekar July 14th, 2010 @ 12:36 PM

Repository July 18th, 2010 @ 10:36 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages