This project is archived and is in readonly mode.

#3018 ✓resolved
Michael Koziarski

Introduce notion of 'html_safe?' to Strings in preparation for on-by-default XSS

Reported by Michael Koziarski | August 9th, 2009 @ 01:19 AM | in 2.3.6

As discussed on the core-list

http://groups.google.com/group/rubyonrails-core/browse_thread/threa...

I've attached the patch I intend to roll-in to 2-3-stable. I'm creating this ticket to give a chance for others to test and object / comment.

  • Strings are marked safe with String#html_safe!
  • SafeBuffer is a new buffer class which escapes all non-safe strings
  • Add a raw helper which marks strings as safe

Note, this change does not impact rendering in any way, you must install the rails_xss plugin to get that behaviour.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Attachments

Referenced by

Pages