This project is archived and is in readonly mode.

#3883 ✓ resolved
Bruno Michel

Content_tag does not escape its input!

Reported by Bruno Michel | February 6th, 2010 @ 10:31 PM

Hi,

I've read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/ and I've tried the example. Obviously, tag has to be remplaced by content_tag (error 500 else). But, the output is not the expected one, evil_js can be executed:

Hello <strong>friends</strong>!
 
<p><script>evil_js</script></p>
&lt;script&gt;evil_js&lt;/script&gt;

I've tried to fix content_tag_string like this:

        def content_tag_string(name, content, options, escape = true)

      tag_options = tag_options(options, escape) if options
      &quot;&lt;#{name}#{tag_options}&gt;#{ERB::Util.h content}&lt;/#{name}&gt;&quot;.html_safe
    end </code>



But this breaks a lot of unit tests (184 failures in actionpack). So, I wonder if content_tag is really a public API that should escape its input, or if it's only for internal usage.

In the first case, it will also fix 2 others of my tickets: https://rails.lighthouseapp.com/projects/8994/tickets/3450-field_se... and https://rails.lighthouseapp.com/projects/8994/tickets/3449-label-ta....

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Tickets have moved to Github

The new ticket tracker is available at https://github.com/rails/rails/issues

Shared Ticket Bins

Referenced by

Pages