This project is archived and is in readonly mode.

#4669 ✓duplicate

ERB monkypatch creates incompatibilities

Reported by nex3 | May 23rd, 2010 @ 11:59 AM | in 2.3.7

In 2.3.6, ERB is monkeypatched rather than subclassed to use ActiveSupport::SafeBuffer. This breaks any libraries that are using ERB and expecting it to work with a plain string. One such use is Haml's :erb filter, which integrates the ERB-compiled Ruby into the Haml-compiled Ruby, and breaks when ERB tries to call #safe_concat on a plain string.

Why is ERB being monkeypatched in the first place? I was under the impression that Erubis was used for XSS-safety. This monkeypatch doesn't exist in the master branch. I suggest removing it entirely. If removal isn't an option, subclass before you change the behavior of a class.

Comments and changes to this ticket

  • Jeremy Kemper

    Jeremy Kemper May 23rd, 2010 @ 05:58 PM

    • Milestone set to 2.3.7
    • State changed from “new” to “open”
    • Assigned user set to “Santiago Pastorino”

    For forward compatibility with Rails 3. Everything supports the html-safety machinery out of the box, but it's turned off by default. You install the rails_xss plugin to enable.

    Reopening ERB directly is unnecessary.

  • Santiago Pastorino

    Santiago Pastorino May 23rd, 2010 @ 06:08 PM

    • Milestone changed from 2.3.7 to 2.3.6
    • Assigned user cleared.
  • Santiago Pastorino

    Santiago Pastorino May 23rd, 2010 @ 06:10 PM

    • Milestone changed from 2.3.6 to 2.3.7

    ohh sorry i did this before reloading

  • nex3

    nex3 May 23rd, 2010 @ 09:30 PM

    • Tag changed from 2.3.6, xss to 2, xss

    How does monkeypatching ERB create forwards compatibility? Rails 3 doesn't monkeypatch ERB. ERB isn't used for html-safety... that's all Erubis. What reason could there possibly be for modifying ERB?

  • Jeremy Kemper

    Jeremy Kemper May 23rd, 2010 @ 09:57 PM

    • State changed from “open” to “duplicate”
  • Andrea Campi

    Andrea Campi October 16th, 2010 @ 11:41 PM

    • Tag changed from 2, xss to 2-3-stable, xss
    • Importance changed from “” to “High”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>