This project is archived and is in readonly mode.

#6302 ✓invalid
Greg Hazel

content_for and xss bug

Reported by Greg Hazel | January 17th, 2011 @ 08:19 PM

This occurs on Rails 2.3.10

# this is safe
<% content_for :foo %>
 <%= malicious %>
<% end %>"
# this is not safe
<% content_for :foo, malicious %>

The reason is the way ActionPack implements content_for:

def content_for(name, content = nil, &block)
  ivar = "@content_for_#{name}"
  content = capture(&block) if block_given?
  instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{content}".html_safe)
  nil
end

Notice it marks the string as html_safe even if it isn't.

Here's the workaround I've come up with, but there may be something more elegant:

def content_for(name, content = nil, &block)
  ivar = "@content_for_#{name}"
  content = capture(&block) if block_given?
  instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe)
  nil
end

Comments and changes to this ticket

  • Santiago Pastorino

    Santiago Pastorino January 28th, 2011 @ 07:12 PM

    • State changed from “new” to “invalid”
    • Importance changed from “” to “Low”

    Hey Greg, we should patch this in rails_xss can you patch that there?.
    Send me a pull request I'm closing this ticket from here, thanks.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages