This project is archived and is in readonly mode.
select_tag wrongly escaped option tags passed to it in rails 3.0.0
Reported by foxban | September 2nd, 2010 @ 07:07 AM
# File actionpack/lib/action_view/helpers/form_tag_helper.rb, line 95
95: def select_tag(name, option_tags = nil, options = {})
96: if Array === option_tags
97: ActiveSupport::Deprecation.warn 'Passing an array of option_tags to select_tag implicitly joins them without marking them as HTML-safe. Pass option_tags.join.html_safe instead.', caller
98: end
99:
100: html_name = (options[:multiple] == true && !name.to_s.ends_with?("[]")) ? "#{name}[]" : name
101: if blank = options.delete(:include_blank)
102: if blank.kind_of?(String)
103: option_tags = "<option value=\"\">#{blank}</option>".html_safe + option_tags
104: else
105: option_tags = "<option value=\"\"></option>".html_safe + option_tags
106: end
107: end
108: content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys)
109: end
on line 108, called content_tag directly, however content_tag will escape the strings passed to it
so when I type
<%= select_tag :idc_id, "<option></option>" %>
I got:
<select name="idc_id" id="idc_id><option&rt;</option&rt;</select>
and it never display in the browser correctly.
by the way, I didn't find that the select_tag function suppots the option like ":escape => false"
to fix this, I changed the source code of select_tag a little like follow:
108: content_tag :select, option_tags, { "name" => html_name, "id" => sanitize_to_id(name) }.update(options.stringify_keys), false
everything work smoothly then
It's not clear that this is a feature or a bug to me
Comments and changes to this ticket
-
David Trasbo September 2nd, 2010 @ 01:11 PM
- Assigned user set to “Rohit Arondekar”
You have to explicitly mark the string you're passing to
select_tagashtml_safelike so:select_tag :idc_id, "<option></option>".html_safeThis can be closed.
-
Rohit Arondekar September 2nd, 2010 @ 01:58 PM
- State changed from “new” to “invalid”
- Importance changed from “” to “Low”
This might be helpful in understanding the new .html_safe and .html_safe? methods and how Rails 3 uses them. http://asciicasts.com/episodes/204-xss-protection-in-rails-3
-
foxban September 2nd, 2010 @ 02:16 PM
I didn't find anything talking about "html_safe" in the docs, for instance: http://guides.rubyonrails.org/form_helpers.html.
Maybe I should read the docs more carefully, :-)
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Chris Mear
Jeremy Kemper
Rohit Arondekar