#3449 Label tag doesn't escape its input - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#3449 ✓wontfix

Label tag doesn't escape its input

Reported by Bruno Michel | November 1st, 2009 @ 01:11 PM | in 2.3.6

The label_tag doesn't escape its input, but returns an html_safe string. I've attached a patch to fix it.

My use case is polls submitted by users where other users can vote on them. When showing the polls, I use the label_tag with data from the users, that can be potentially malicious.

Comments and changes to this ticket

Bruno Michel November 1st, 2009 @ 02:10 PM
- no changes were found...
- escape_label_tag.diff 1.2 KB
Michael Koziarski November 30th, 2009 @ 08:34 PM
- Tag changed from “2-3-stable, patch, xss” to “patch, xss”
- Milestone cleared.
Can't apply this to 2-3-stable as it'll break people's apps who have already added h() calls, we can fix it in master though where h() is idempotent.
Santiago Pastorino March 8th, 2010 @ 03:43 AM
- State changed from “new” to “wontfix”
On 3.0 is working that way.
It's automatically escaped because you start with a SafeBuffer and the output builder concat that (text || name.to_s.humanize) with the SafeBuffer he manages using this method from SafeBuffer
```
module ActiveSupport #:nodoc:
  class SafeBuffer < String
    def concat(value)
      if value.html_safe?
        super(value)
      else
        super(ERB::Util.h(value))
      end
    end
    alias << concat
  end
end
```
Santiago Pastorino March 10th, 2010 @ 12:12 AM
- State changed from “wontfix” to “open”
- Milestone set to “2.3.6”
That's fixed with http://github.com/spastorino/rails/commit/84fd5400c065b6ca659a50354...
Santiago Pastorino March 22nd, 2010 @ 02:50 AM
- State changed from “open” to “wontfix”
This is going to be fixed on github.com/rails/rails_xss

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

escape_label_tag.diff 1.2 KB

Referenced by

3785 Content_tag_string Sanitizes Possibly Unsafe HTML This ticket is related to the ongoing work on HTML safe s...
3883 Content_tag does not escape its input! In the first case, it will also fix 2 others of my ticket...

Rails Ruby on Rails → 2.3.6

Label tag doesn't escape its input

Comments and changes to this ticket

Bruno Michel November 1st, 2009 @ 02:10 PM

Michael Koziarski November 30th, 2009 @ 08:34 PM

Santiago Pastorino March 8th, 2010 @ 03:43 AM

Santiago Pastorino March 10th, 2010 @ 12:12 AM

Santiago Pastorino March 22nd, 2010 @ 02:50 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages

Rails Ruby on Rails → 2.3.6

Keyword searching

Label tag doesn't escape its input

Comments and changes to this ticket

Bruno Michel November 1st, 2009 @ 02:10 PM

Michael Koziarski November 30th, 2009 @ 08:34 PM

Santiago Pastorino March 8th, 2010 @ 03:43 AM

Santiago Pastorino March 10th, 2010 @ 12:12 AM

Santiago Pastorino March 22nd, 2010 @ 02:50 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Attachments

Tags

Referenced by

Pages