This project is archived and is in readonly mode.

#3449 ✓wontfix
Bruno Michel

Label tag doesn't escape its input

Reported by Bruno Michel | November 1st, 2009 @ 01:11 PM | in 2.3.6

The label_tag doesn't escape its input, but returns an html_safe string. I've attached a patch to fix it.

My use case is polls submitted by users where other users can vote on them. When showing the polls, I use the label_tag with data from the users, that can be potentially malicious.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Attachments

Tags

Referenced by

Pages