This project is archived and is in readonly mode.

#3213 ✓stale
Stephen Judkins

HTML literals passed into tag helpers don't escape

Reported by Stephen Judkins | September 15th, 2009 @ 09:19 PM

We are passing values from the database directly into form tag helpers. Users had submitted values that contained HTML entities. The tag helpers did not escape these entities, as it using the escape_once. This behavior is undesired since a user entering data containing HTML literals, then going to the "update" form for that object, not changing anything, then hitting save, will alter the data.

Patch included to fix this behavior.

This ticket accidently posted in the "rails-plugins" project.

Comments and changes to this ticket

  • Rohit Arondekar

    Rohit Arondekar October 6th, 2010 @ 06:46 AM

    • State changed from “new” to “stale”
    • Importance changed from “” to “”

    Marking ticket as stale. If this is still an issue please leave a comment with suggested changes, creating a patch with tests, rebasing an existing patch or just confirming the issue on a latest release or master/branches.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Attachments

Pages