This project is archived and is in readonly mode.

#4858 open
Rodrigo Rosenfeld Rosas

[PATCH] ActionMailer is html escaping plain text messages

Reported by Rodrigo Rosenfeld Rosas | June 14th, 2010 @ 01:17 PM | in 3.0.6

A view views/mailer/message.text.erb with this content:

http://ab.cd/e?f=1&g=2 (read an ampersand only, cause LightHouse will mess with it)

is sent as a plain text message with this link:

http://ab.cd/e?f=1&g=2

Comments and changes to this ticket

  • Michael Koziarski

    Michael Koziarski June 14th, 2010 @ 09:17 PM

    • Milestone cleared.
    • Tag set to regression
    • Assigned user set to “Yehuda Katz (wycats)”

    This is probably as a result of unifying the AM and AC use of AV, it's a regression and should be fixed before 3.0

  • Amos King

    Amos King June 15th, 2010 @ 03:41 AM

    I can't reproduce this issue with the latest. Can I get an example so I can tackle this.

  • Rodrigo Rosenfeld Rosas

    Rodrigo Rosenfeld Rosas June 15th, 2010 @ 03:57 AM

    I've just found the root cause. url_for is not marking the url as html_safe and the ERB template used by the plain text templating is sanitizing the text by default as the other ERB templates.

    This mean that now the plain text ERB template should be something like:

    Please, visit <%= raw @confirmation_url %>

    I think plain text templates should not be sanitized in favor of the least surprise principle...

    What do you think?

  • Akira Matsuda

    Akira Matsuda August 23rd, 2010 @ 08:00 AM

    I also got stuck on this problem.

    I think plain text templates should not be sanitized in favor of the least surprise principle... What do you think?

    1. Plain text template should better not be html_escaped.
  • Akira Matsuda
  • Jeremy Kemper
  • Santiago Pastorino

    Santiago Pastorino September 1st, 2010 @ 02:00 AM

    • State changed from “new” to “open”
    • Assigned user changed from “Yehuda Katz (wycats)” to “Mikel Lindsaar”
    • Importance changed from “” to “Low”
  • José Valim

    José Valim September 1st, 2010 @ 11:11 PM

    • Assigned user changed from “Mikel Lindsaar” to “Yehuda Katz (wycats)”

    This is not related to the mail gem, but the ActionView bit. Assigning it back to Mr. Katz.

  • Wincent Colaiuta

    Wincent Colaiuta September 4th, 2010 @ 02:07 PM

    I've had to use raw in a few places in my non-HTML templates for this reason.

    It's not limited to templates with the .text.erb extension. I've also had to do it in .js.erb templates. I imagine that if I had other non-HTML ERB templates it would behave the same way too.

    No idea if this is limited to ERB, seeing as the only other template format I use is Haml, which is obviously always producing HTML output only.

  • Jeremy Kemper

    Jeremy Kemper October 15th, 2010 @ 11:01 PM

    • Milestone set to 3.0.2
  • Ryan Bigg

    Ryan Bigg October 19th, 2010 @ 08:34 AM

    • Tag cleared.

    Automatic cleanup of spam.

  • Fjan

    Fjan November 3rd, 2010 @ 07:08 PM

    I just wanted to point out that the it's not just URLs and not just ampersands: any text gets HTML escaped. This is going to trip people up who accidentally use < and > characters in an e-mail address for example. My plain text e-mail templates are now littered with .html_safe everywhere to prevent this.

    As far as I can tell from the code this is going to be pretty hard to fix without ruining the nice unification of the mailer views with the regular views we just had. My suggestion is to define a new erb character sequence such as <%== to mean a "raw concat". That will beatify the code a little and make sure that we can upgrade old templates with a simple search/replace, mailer or regular view.

  • Fjan

    Fjan November 3rd, 2010 @ 08:51 PM

    Just a quick follow up to myself, I looked at the code and all that is needed to make "<%== ..." behave as "<%= raw ..." is this snippet in an initializer:

    module ActionView
      class Template
        module Handlers
          class Erubis < ::Erubis::Eruby
            def add_expr_escaped(src, code)
              src << "@output_buffer.safe_concat(" << escape_text(code.html_safe) << ");"
            end
          end
        end
      end
    end
    

    It can be made more efficient by adding to the string directly.

  • Wincent Colaiuta

    Wincent Colaiuta November 3rd, 2010 @ 08:57 PM

    I think adding new syntax is a non-solution to this problem which just wall-papers over the underlying issue.

    The fact is that it doesn't make sense to HTML-escape content which is not HTML.

    Merely adding a short-cut syntax for avoiding the undesired escaping is just giving us a more concise means of doing something that we shouldn't have to do in the first place, and IMO it would be worse than just ignoring the problem.

  • Fjan

    Fjan November 3rd, 2010 @ 09:07 PM

    I agree a proper fix where plain text templates do net get escaped would be better.

    However, I still like that new syntax for the regular views. I just did a quick count for "html_safe" and I came up with 390 in my views and helpers. So it would sure save a lot of typing and it can also make the templates more efficient by not converting to an output_buffer and back to a string (as I did above).

    I simply like to use some like without all the html_safe stuff:

    <%= "<b>Alert</b>".html_safe if level<0 %>
    
  • Fjan

    Fjan November 3rd, 2010 @ 11:16 PM

    Oops, that method in my first posts should have read:

    def add_expr_escaped(src, code)
      src << "@output_buffer.safe_concat((" << code << ").to_s);"
    end
    

    Also apologies for the lack of proofreading in the second post. I'm actually tempted to override the XSS escaping when upgrading from Rails 2 projects by doing a global search/replace of <%= with <%== now. The on-by-default escaping idea is sound in theory but it's just introducing more problems than it solves when upgrading an old and stable code base.

  • Fjan

    Fjan November 3rd, 2010 @ 11:17 PM

    • Title changed from “ActionMailer is html escaping ampersand (&) in Urls in plain text messages” to “ActionMailer is html escaping plain text messages”
  • Wincent Colaiuta

    Wincent Colaiuta November 3rd, 2010 @ 11:21 PM

    I agree a proper fix where plain text templates do net get escaped would be better.

    However, I still like that new syntax for the regular views.

    Fjan, your proposed shortcut syntax probably belongs in a separate ticket.

  • Fjan

    Fjan November 3rd, 2010 @ 11:24 PM

    You are right. Sorry for the spam here, not thinking to clearly after typing 390 html_safes. I'll put in a new ticket tomorrow.

  • Bertg

    Bertg November 5th, 2010 @ 07:53 PM

    • Tag set to actionview, escaping, formats, html_safe, safe_buffer, xss

    We have been investigating this issue, and it goes beyond ActionMailer.

    We have detected this happening when rendering csv files, ical compatible files etc.. Basically html escaping is happening all the time in ActionView regardless of format.

    Templates and Handlers always choose a ActionView::SafeBuffer or a subclass of it. This is desired behaviour in case of html (or alike, e.g.: xml) but not in any other context like plain text emails or csv.

    The template should be smart enough to choose the correct buffer based on the format passed to it. E.g.: when the extension of a template is .text.haml it should not be doing any escaping, i.e. not be using the safe buffer.

    We do think the priority of this bug should be high, as it's influencing all formats besides html, and thus breaking these.

    The impact is probably going to be beyond rails, but in any rails3 compatible handler, like haml.

  • Fjan

    Fjan November 11th, 2010 @ 03:25 PM

    Now that my patch to add a non-escaping option to Erubis has been committed to 3.0 stable this problem can be fixed by simply letting the handler check if the template identifier contains "html" and disabling escape otherwise. Attached is a monkey patch that adds one line to the template setup:

       :escape => template.identifier !~ /\.html/   # Note: :escape => true disables escaping
    

    Note that this patch will only work if the patch mentioned above is also applied.

  • Rodrigo Rosenfeld Rosas

    Rodrigo Rosenfeld Rosas November 11th, 2010 @ 03:52 PM

    Worth noting that this monkey patch will only work on ERB templates but won't work for HAML for instance...

  • Fjan

    Fjan November 11th, 2010 @ 04:40 PM

    • Title changed from “ActionMailer is html escaping plain text messages” to “[PATCH] ActionMailer is html escaping plain text messages”

    Here is the one-line patch that can be applied to edge. Sorry, I have no idea how to add a test for this, I'm kind of new to all this.

  • Santiago Pastorino
  • Santiago Pastorino
  • Santiago Pastorino

    Santiago Pastorino February 27th, 2011 @ 03:15 AM

    • Milestone changed from 3.0.5 to 3.0.6
  • Matthew Stopa

    Matthew Stopa April 28th, 2011 @ 08:38 PM

    Does anyone know if this issue has been fixed yet? It looks like things have changed a lot in Rails3 since the patch was submitted. We're experiencing the problem currently where our users are getting their emails with escaped characters. Anyone know a workaround?

  • Bertg

    Bertg April 28th, 2011 @ 09:19 PM

    I have no idea what the status on this ticket is, but the work around we used is to indicate EACH string as html safe manually. That works great :)

  • Matthew Stopa

    Matthew Stopa April 28th, 2011 @ 10:08 PM

    That hasn't worked for me at all. Even with a basic ActionMailer where I specify the body as body => "blah blah".html_safe I am still seeing escaped characters in the emails it sends.

  • Fjan

    Fjan April 29th, 2011 @ 08:15 AM

    @Matthew: I've been using the monkey patch I provided in the November 11th post in production for quite some time now and it works great. Just drop it in the config/initializers directory.

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Referenced by

Pages