This project is archived and is in readonly mode.

#4788 ✓stale

rails_xss breaks when the word raw is used in text

Reported by JackC | June 7th, 2010 @ 06:47 PM

When using Rails 2.3.8 and rails_xss plugin create a view with the following line in it.

<%= 'text with the word raw in it fails' %>

It will crash.
I think the problem is in add_expr_literal in rails_xss/lib/rails_xss/erubis.rb.

Comments and changes to this ticket

  • Neeraj Singh

    Neeraj Singh June 7th, 2010 @ 09:29 PM

    • Tag changed from rails_xss to 2.3.x, rails_xss

    FYI: works fine in rails3 .

  • David Trasbo

    David Trasbo August 1st, 2010 @ 01:49 PM

    Confirmed on Rails 2.3.9. And the root of the issue almost definitely exists in the mentioned method.

    That regular expression looks kind of naive to me. I might look into making a patch if I become brave enough, but please if you know how to fix it - go ahead.

  • David Trasbo

    David Trasbo August 1st, 2010 @ 02:14 PM

    Duh, Rails 2.3.8. Hard to keep up when the core team releases so many versions at once. :P

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:34 PM

    • State changed from “new” to “open”
    • Tag changed from 2.3.x, rails_xss to 23x, rails_xss

    This issue has been automatically marked as stale because it has not been commented on for at least three months.

    The resources of the Rails core team are limited, and so we are asking for your help. If you can still reproduce this error on the 3-0-stable branch or on master, please reply with all of the information you have about it and add "[state:open]" to your comment. This will reopen the ticket for review. Likewise, if you feel that this is a very important feature for Rails to include, please reply with your explanation so we can consider it.

    Thank you for all your contributions, and we hope you will understand this step to focus our efforts where they are most helpful.

  • Santiago Pastorino

    Santiago Pastorino February 2nd, 2011 @ 04:34 PM

    • State changed from “open” to “stale”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href=""></a>

People watching this ticket