#5545 capture helper assumes that text is html_safe - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#5545 ✓resolved

capture helper assumes that text is html_safe

Reported by Jakub Suder | September 3rd, 2010 @ 12:04 PM | in 3.0.2

That may cause XSS issues if you don't expect it...

Example:

<p><%= @profile.location %></p>
<p><%= capture { @profile.location } %></p>
<p><%= content_tag(:div, @profile.location) %></p>
<p><%= content_tag(:div) { @profile.location } %></p>

# result:

<p>Kraków, Poland &lt;h1&gt;foo&lt;h1&gt;</p> 
<p>Kraków, Poland <h1>foo<h1></p> 
<p><div>Kraków, Poland &lt;h1&gt;foo&lt;h1&gt;</div></p> 
<p><div>Kraków, Poland <h1>foo<h1></div></p>

Comments and changes to this ticket

Jeff Kreeftmeijer October 11th, 2010 @ 07:48 PM
- State changed from “new” to “open”
- Milestone set to “3.x”
- Assigned user set to “Santiago Pastorino”
- Tag changed from “action_view, capturehelper, content_tag, escaping, helpers, xss” to “action_view, capturehelper, content_tag, escaping, helpers, patch, xss”
- Importance changed from “” to “Low”
I've attached a patch that runs html_escape on capture's output before returning. It also adds .html_safe to the test_link_to_unless assertion and removes another test_link_to_unless I found. Don't ask me why, but there were two. Any thoughts? :)
- 5545.diff 2.6 KB
Santiago Pastorino October 11th, 2010 @ 08:08 PM
- Milestone cleared.
- Importance changed from “Low” to “High”
Jeremy Kemper October 15th, 2010 @ 11:02 PM
- Milestone set to “3.0.2”
[bulk edit]
Ryan Bigg October 16th, 2010 @ 02:38 AM
- Tag changed from “sheepskin boots, action_view, capturehelper, content_tag, escaping, helpers, patch, xss” to “action_view capturehelper content_tag escaping helpers patch xss”
Automatic cleanup of spam.
Jeff Kreeftmeijer October 16th, 2010 @ 12:41 PM
- Tag changed from “action_view capturehelper content_tag escaping helpers patch xss” to “action_view, capturehelper, content_tag, helpers, patch, xss”
Ryan's spambot script seems to have reverted my tag changes.
Repository November 2nd, 2010 @ 10:03 PM
- State changed from “open” to “resolved”
(from [bb9c58eb4aa637fa75c69c705a9918d6322ff834]) Make sure capture's output gets html_escaped [#5545 state:resolved]

Also remove a duplicate test_link_to_unless assertion and add .html_safe to the
remaining one.

Signed-off-by: Santiago Pastorino santiago@wyeworks.com
http://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918...
Repository November 2nd, 2010 @ 10:21 PM
(from [5cb1dad228fb224a5661e36fe492dae700021b0f]) Make sure capture's output gets html_escaped [#5545 state:resolved]

Also remove a duplicate test_link_to_unless assertion and add .html_safe
to the remaining one.

Signed-off-by: Santiago Pastorino santiago@wyeworks.com
http://github.com/rails/rails/commit/5cb1dad228fb224a5661e36fe492da...
You flagged this item as spam.
Keith Pitt November 24th, 2010 @ 04:48 AM
Hrm - this seems like a silly change to me.

Firstly, the documentation inside the capture helper states:

"It provides a method to capture blocks into variables through capture and a way to capture a block of markup for use in a layout through content_for."

Keyword there being "markup". If you automatically escape the content - you cant really use it for markup anymore.

Secondly, given the following helper:
```
def box(&block)
  content_tag :div, capture(&block).html_safe
end
```
Wouldnt that automatically escape the html returned by capture, thus making this sort of convention impossible?
You flagged this item as spam.
Wincent Colaiuta December 3rd, 2010 @ 05:15 PM
Also not 100% sure if this is the best change, as it caused some breakage in my app where I was using it to "capture a block of markup", like Keith says.

On the other hand, at least it is more consistent than before, seeing as now both the block and non-block forms of content_tag will escape their content (if it is not already marked as safe).

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

5545.diff 2.6 KB

Referenced by

5545 capture helper assumes that text is html_safe (from [bb9c58eb4aa637fa75c69c705a9918d6322ff834]) Make su...
5545 capture helper assumes that text is html_safe (from [5cb1dad228fb224a5661e36fe492dae700021b0f]) Make su...

Rails Ruby on Rails → 3.0.2