This project is archived and is in readonly mode.

#4668 ✓resolved
nex3

Closing form tags are not marked HTML-safe

Reported by nex3 | May 23rd, 2010 @ 11:53 AM | in 2.3.7

Closing form tags (</form>) created via #form_for or #form_tag are not marked as HTML-safe, and so are rendered as &lt;/form&gt; when XSS protection is enabled. This effectively renders form methods unusable with XSS protection.

I have a patch in my Rails fork which fixes this.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Tags

Pages