#4668 Closing form tags are not marked HTML-safe - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#4668 ✓resolved

Closing form tags are not marked HTML-safe

Reported by nex3 | May 23rd, 2010 @ 11:53 AM | in 2.3.7

Closing form tags (</form>) created via #form_for or #form_tag are not marked as HTML-safe, and so are rendered as </form> when XSS protection is enabled. This effectively renders form methods unusable with XSS protection.

I have a patch in my Rails fork which fixes this.

Comments and changes to this ticket

Santiago Pastorino May 23rd, 2010 @ 04:40 PM
Please can you provide some tests?
Santiago Pastorino May 23rd, 2010 @ 05:11 PM
- Milestone set to “2.3.6”
- Tag changed from “2.3.6” to “2.3.6, xss”
- State changed from “new” to “open”
Santiago Pastorino May 23rd, 2010 @ 05:28 PM
- Assigned user set to “Jeremy Kemper”
Jeremy Kemper May 23rd, 2010 @ 05:54 PM
- Milestone changed from “2.3.6” to “2.3.7”
[bulk edit]
Santiago Pastorino May 24th, 2010 @ 05:06 AM
- State changed from “open” to “resolved”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

Rails Ruby on Rails → 2.3.7

Closing form tags are not marked HTML-safe

Comments and changes to this ticket

Santiago Pastorino May 23rd, 2010 @ 04:40 PM

Santiago Pastorino May 23rd, 2010 @ 05:11 PM

Santiago Pastorino May 23rd, 2010 @ 05:28 PM

Jeremy Kemper May 23rd, 2010 @ 05:54 PM

Santiago Pastorino May 24th, 2010 @ 05:06 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages

Rails Ruby on Rails → 2.3.7

Keyword searching

Closing form tags are not marked HTML-safe

Comments and changes to this ticket

Santiago Pastorino May 23rd, 2010 @ 04:40 PM

Santiago Pastorino May 23rd, 2010 @ 05:11 PM

Santiago Pastorino May 23rd, 2010 @ 05:28 PM

Jeremy Kemper May 23rd, 2010 @ 05:54 PM

Santiago Pastorino May 24th, 2010 @ 05:06 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Tags

Pages