This project is archived and is in readonly mode.

#1280 ✓resolved
Zach Dennis

error_messages_for doesn't html escape it's messages

Reported by Zach Dennis | October 27th, 2008 @ 02:30 PM | in 2.x

error_messages_for doesn't html escape the messages that it displays. It should be doing this. Here's a diff of the fix. I don't have the time right now to post a proper patch, so here's the ticket in case someone has the time.


diff --git a/vendor/rails/actionpack/lib/action_view/helpers/active_record_helper.rb b/vendor/rails/actionpack/lib/action_view/helpers/active_record_helper.rb
index 8b56d24..137fb73 100644
--- a/vendor/rails/actionpack/lib/action_view/helpers/active_record_helper.rb
+++ b/vendor/rails/actionpack/lib/action_view/helpers/active_record_helper.rb
@@ -198,7 +198,7 @@ module ActionView
               locale.t :header, :count => count, :model => object_name
             end
             message = options.include?(:message) ? options[:message] : locale.t(:body)
-            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, msg) } }.join
+            error_messages = objects.sum {|object| object.errors.full_messages.map {|msg| content_tag(:li, h(msg)) } }.join

             contents = ''
             contents << content_tag(options[:header_tag] || :h2, header_message) unless header_message.blank?

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages