This project is archived and is in readonly mode.

#4755 ✓resolved
Paul Barry

XSS in 2.3.8 is still opt-in

Reported by Paul Barry | June 2nd, 2010 @ 10:51 PM

My understanding is that the XSS changes that wil be in Rails 3 should still be opt-in only for Rails 2.3, as mentioned here

We’re sorry, all: HTML-safety is meant to be opt-in!

So to test this, I've installed Rails 2.3.8:

$ rvm use ree-1.8.7

info: Using ree 1.8.7 2010.01
$ rvm gemset create rails238

info: Gemset 'rails238' created.
$ rvm gemset use rails238

$ gem install rails
Successfully installed activesupport-2.3.8
Successfully installed activerecord-2.3.8
Successfully installed rack-1.1.0
Successfully installed actionpack-2.3.8
Successfully installed actionmailer-2.3.8
Successfully installed activeresource-2.3.8
Successfully installed rails-2.3.8
7 gems installed

$ gem install sqlite3-ruby
Building native extensions.  This could take a while...
Successfully installed sqlite3-ruby-1.2.5
1 gem installed

I generated an app and then I made this ERB template:

    <%= stylesheet_link_tag("foo") + "<title>Foo</title>"  %>
    <%= link_to("#") + "<p>Foo</p>" %>
    <%= "<br/>" %>

When it gets rendered as a view for an action, it produces this:

    <link href="/stylesheets/foo.css" media="screen" rel="stylesheet" type="text/css" />&lt;title&gt;Foo&lt;/title&gt;
    <a href="/main">#</a>&lt;p&gt;Foo&lt;/p&gt;


The <br/> is not escaped, so that's working as expected, but concatenating a string on to the result of a helper is being escaped without calling h, so that is not as expected. Is this a bug or has the behavior in 2.3.8 been changed intentionally?

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket