This project is archived and is in readonly mode.

#5918 ✓ resolved
Fjan

[PATCH] Fix Erubis non-escaping sequence to mimic raw()

Reported by Fjan | November 4th, 2010 @ 04:42 PM | in 3.0.5

According to the Erubis documentation the sequence <%== %> should insert the contents without HTML escaping. At the moment Rails instead produces double escaped HTML of the contents (so <%== "&" %> becomes "&amp") which is pretty useless. The attached patch fixes it to work as expected.

There are a few additional advantages to doing this:

  • It allows for a cleaner syntax:
          <%= '<b>Alert</b>'.html_safe if level<0 %>
    
    can become:
          <%=== '<b>Alert</b>' if level<0 %>
    
  • The above example also performs better because it avoids converting between a SafeBuffer object and a String, a few percent in my testing

  • It allows easy upgrading of a stable Rails 2 app to Rails 3 by doing a global search/replace of <%= with <%==

Please note that I am not against the idea of on-by-default XSS escaping, this just increases flexibility for people who can handle it. As an aside, I think the proper way to test for XSS vulnerabilities is to put <bad&> tags in your fixtures and scan for them in the response body in your test helper.

Attached patch is a file that can be dropped into initializers to fix Rails 3

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Tickets have moved to Github

The new ticket tracker is available at https://github.com/rails/rails/issues

Shared Ticket Bins

Referenced by

Pages