This project is archived and is in readonly mode.
content_for and xss bug
Reported by Greg Hazel | January 17th, 2011 @ 08:19 PM
This occurs on Rails 2.3.10
# this is safe
<% content_for :foo %>
<%= malicious %>
<% end %>"
# this is not safe
<% content_for :foo, malicious %>
The reason is the way ActionPack implements content_for:
def content_for(name, content = nil, &block)
ivar = "@content_for_#{name}"
content = capture(&block) if block_given?
instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{content}".html_safe)
nil
end
Notice it marks the string as html_safe even if it isn't.
Here's the workaround I've come up with, but there may be
something more elegant:
def content_for(name, content = nil, &block)
ivar = "@content_for_#{name}"
content = capture(&block) if block_given?
instance_variable_set(ivar, "#{instance_variable_get(ivar)}#{ERB::Util.h(content)}".html_safe)
nil
end
Comments and changes to this ticket
-
Santiago Pastorino January 28th, 2011 @ 07:12 PM
- State changed from “new” to “invalid”
- Importance changed from “” to “Low”
Hey Greg, we should patch this in rails_xss can you patch that there?.
Send me a pull request I'm closing this ticket from here, thanks.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Greg Hazel
Jeremy Kemper
Piotr Sarnacki
Santiago Pastorino