This project is archived and is in readonly mode.

#3883 ✓resolved
Bruno Michel

Content_tag does not escape its input!

Reported by Bruno Michel | February 6th, 2010 @ 10:31 PM


I've read and I've tried the example. Obviously, tag has to be remplaced by content_tag (error 500 else). But, the output is not the expected one, evil_js can be executed:

Hello <strong>friends</strong>!

I've tried to fix content_tag_string like this:

        def content_tag_string(name, content, options, escape = true)

      tag_options = tag_options(options, escape) if options
      &quot;&lt;#{name}#{tag_options}&gt;#{ERB::Util.h content}&lt;/#{name}&gt;&quot;.html_safe
    end </code>

But this breaks a lot of unit tests (184 failures in actionpack). So, I wonder if content_tag is really a public API that should escape its input, or if it's only for internal usage.

In the first case, it will also fix 2 others of my tickets: and

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

Referenced by