This project is archived and is in readonly mode.
Introduce notion of 'html_safe?' to Strings in preparation for on-by-default XSS
Reported by Michael Koziarski | August 9th, 2009 @ 01:19 AM | in 2.3.6
As discussed on the core-list
http://groups.google.com/group/rubyonrails-core/browse_thread/threa...
I've attached the patch I intend to roll-in to 2-3-stable. I'm creating this ticket to give a chance for others to test and object / comment.
- Strings are marked safe with String#html_safe!
- SafeBuffer is a new buffer class which escapes all non-safe strings
- Add a raw helper which marks strings as safe
Note, this change does not impact rendering in any way, you must install the rails_xss plugin to get that behaviour.
Comments and changes to this ticket
-
Jeremy Kemper September 11th, 2009 @ 11:04 PM
- Milestone changed from “2.3.4” to “2.3.6”
[milestone:id#50064 bulk edit command]
-
Bruno Michel October 10th, 2009 @ 11:40 PM
The button_to helper does not return a string marked as safe. I've made a small patch to fix it.
-
Bruno Michel October 19th, 2009 @ 12:47 AM
Please apply this patch. The button_to helper is broken on rails 2.3 when using the rails_xss plugin (but the parenthesis are there in Rails 3).
-
Bruno Michel November 1st, 2009 @ 12:47 PM
I was advised to create a new ticket for this bug to help tracking the status on. So, it is #3448.
-
Lenary April 22nd, 2010 @ 09:38 PM
just a question, it looks like this has been applied. has it really?
-
Rizwan Reza May 16th, 2010 @ 02:39 AM
- State changed from “new” to “resolved”
This was committed as in #3448.
-
Ryan Bigg October 9th, 2010 @ 09:56 PM
- Importance changed from “” to “Low”
Automatic cleanup of spam.
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Bruno Michel
Chris Mear
Eric
Jeremy Kemper
Michael Koziarski
Ryan Bigg
Attachments
Referenced by
-
3785
Content_tag_string Sanitizes Possibly Unsafe HTML
This ticket is related to the ongoing work on HTML safe s...