This project is archived and is in readonly mode.

#3785 ✓resolved
Todd Sundsted

Content_tag_string Sanitizes Possibly Unsafe HTML

Reported by Todd Sundsted | January 25th, 2010 @ 02:20 AM

This ticket is related to the ongoing work on HTML safe strings (ticket #3018). It is related to tickets #3448 #3450 #3449 and points to the underlying problem.

Tag helpers in Rails (indirectly) use content_tag_string to output a string to render. In Rails 2.3.5, content_tag_string liberally marks its output as html safe.

def content_tag_string(name, content, options, escape = true)
  tag_options = tag_options(options, escape) if options

In particular, content_tag, which can be used to generate any HTML tag, passes its second argument, which could easily be user-supplied data, straight through to content_tag_string, where the output is marked as HTML safe.

content_tag(:p, "<script>alert('hello');</script>")

Content_tag is used in other tag helpers:

      def label_tag(name, text = nil, options = {})
        content_tag :label, text || name.to_s.humanize, { "for" => sanitize_to_id(name) }.update(options.stringify_keys)

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>