This project is archived and is in readonly mode.
[PATCH] Array.join making safe strings unsafe
Reported by Paul Hieromnimon | January 17th, 2011 @ 02:38 AM
When calling join on an Array comprised entirely of html_safe objects, and using an html_safe separator, the string returned is unsafe. This seems to be a bug, and has broken many of our own custom helpers without providing any additional safety.
I overrode Array.join to return safe strings (SafeBuffers) when all the elements of the array are safe, and the separator is either not specified or html_safe itself. This is consistent with Ruby's behavior when joining arrays of untainted objects with an untainted separator.
Additionally, I overrode html_safe? on Array to return true if every element is safe. This will allow Array.join to operate properly in the recursive case (joining an Array of arrays).
Comments and changes to this ticket
-
Derek Croft January 18th, 2011 @ 01:17 PM
+1
Upgrading to Rails 3.0.3 causes all Array.join calls to escape for me. Cannot get it to work without this patch.
-
Russen Guggemos February 16th, 2011 @ 09:53 PM
Yeah, seeing this in Rails 3.0.3, e.g:
User.interests.map{|i| link_to i.name, interest_path(i) }.join(', '.html_safe)Putting that inside of <%= %> renders a bunch of escaped HTML.
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Derek Croft