#2015 text_area_tag should escape contents by default - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#2015 ✓committed

text_area_tag should escape contents by default

Reported by Chris Mear | February 19th, 2009 @ 02:20 PM | in 2.3.4

text_area_tag currently does not HTML-escape its contents/value by default. However, the rest of the form tag helpers do escape their values, and the corresponding text_area method in FormHelper does it as well.

For consistency and security's sake, it seems like text_area_tag should escape its content by default too.

Comments and changes to this ticket

You flagged this item as spam.
Murray Steele February 20th, 2009 @ 04:05 PM
+1

Looks good to me. Also a pretty sensible addition.
Pratik June 21st, 2009 @ 05:20 PM
- Assigned user set to “Michael Koziarski”
Koz is the master of escaping.
You flagged this item as spam.
Bart ten Brinke June 22nd, 2009 @ 11:23 PM
+1
Michael Koziarski June 26th, 2009 @ 06:07 AM
- Milestone changed from “2.x” to “2.3.4”
Looks good, but the patch doesn't apply cleanly now.

Can you address that (with perhaps a patch each for master and 2-3-stable) and I'll get it in.
Michael Koziarski June 26th, 2009 @ 06:10 AM
Looks good to me.

This patch no longer cleanly applies, but if you can address that I'll
get it in for 2-3 and master.
You flagged this item as spam.
Chris Mear June 26th, 2009 @ 11:51 AM
Here's two new patches, one that applies to the current master branch, and one for the 2-3-stable branch.
- text_area-escaping.diff 3.1 KB
- text_area-escaping-2-3-stable.diff 3 KB
Repository June 27th, 2009 @ 02:17 AM
- State changed from “new” to “committed”
(from [085db5e128ad4ad8fd042776722c78e194c6d0a4]) Make text_area_tag escape contents by default.

Signed-off-by: Michael Koziarski michael@koziarski.com
[#2015 state:committed] http://github.com/rails/rails/commit/085db5e128ad4ad8fd042776722c78...
You flagged this item as spam.
klkk May 23rd, 2011 @ 02:54 AM
www.louisvuittonwarehouse.com

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

Referenced by

2015 text_area_tag should escape contents by default Signed-off-by: Michael Koziarski michael@koziarski.com [#...

Rails Ruby on Rails → 2.3.4

text_area_tag should escape contents by default

Comments and changes to this ticket

Murray Steele February 20th, 2009 @ 04:05 PM

Pratik June 21st, 2009 @ 05:20 PM

Bart ten Brinke June 22nd, 2009 @ 11:23 PM

Michael Koziarski June 26th, 2009 @ 06:07 AM

Michael Koziarski June 26th, 2009 @ 06:10 AM

Chris Mear June 26th, 2009 @ 11:51 AM

Repository June 27th, 2009 @ 02:17 AM

klkk May 23rd, 2011 @ 02:54 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages

Rails Ruby on Rails → 2.3.4

Keyword searching

text_area_tag should escape contents by default

Comments and changes to this ticket

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages