This project is archived and is in readonly mode.
[PATCH] Fix Erubis non-escaping sequence to mimic raw()
Reported by Fjan | November 4th, 2010 @ 04:42 PM | in 3.0.5
According to the Erubis documentation the sequence <%== %> should insert the contents without HTML escaping. At the moment Rails instead produces double escaped HTML of the contents (so <%== "&" %> becomes "&") which is pretty useless. The attached patch fixes it to work as expected.
There are a few additional advantages to doing this:
- It allows for a cleaner syntax:
can become:<%= '<b>Alert</b>'.html_safe if level<0 %><%=== '<b>Alert</b>' if level<0 %> -
The above example also performs better because it avoids converting between a SafeBuffer object and a String, a few percent in my testing
-
It allows easy upgrading of a stable Rails 2 app to Rails 3 by doing a global search/replace of <%= with <%==
Please note that I am not against the idea of on-by-default XSS escaping, this just increases flexibility for people who can handle it. As an aside, I think the proper way to test for XSS vulnerabilities is to put <bad&> tags in your fixtures and scan for them in the response body in your test helper.
Attached patch is a file that can be dropped into initializers to fix Rails 3
Comments and changes to this ticket
-
Rodrigo Rosenfeld Rosas November 5th, 2010 @ 12:25 PM
Didn't take a look at the implementation, but +1 for the idea
-
Michael Koziarski November 5th, 2010 @ 09:29 PM
- Milestone set to “3.0.2”
- Assigned user set to “Michael Koziarski”
- Importance changed from “” to “Low”
As I mentioned on the core list, upload a proper patch for making <%== behave exactly like <%= raw and I'll take a look
https://github.com/rails/rails/commit/209235165266ff39f2d14d02b497d...
That's a commit which did something similar
-
Fjan November 6th, 2010 @ 02:44 PM
- Title changed from “Fix Erubis non-escaping sequence [patch]” to “[PATCH] Fix Erubis non-escaping sequence to mimic raw()”
Ok, here's the patch. This is my first experience with git and with submitting a patch. I think I followed the procedures in the Rails guide correctly but please let me know if it's not correct.
-
-
Repository November 7th, 2010 @ 08:57 PM
(from [f04ec6a227b702342d2fb841f94915499bf6101a]) Added support for Erubis <%== tag
<%== x %> is syntactic sugar for <%= raw(x) %>
Signed-off-by: Michael Koziarski michael@koziarski.com
[#5918 status:committed] https://github.com/rails/rails/commit/f04ec6a227b702342d2fb841f9491... -
Repository November 7th, 2010 @ 09:03 PM
(from [ea1fde6ae750b78bfc58259fcdb7dd22ce0b3127]) Added support for Erubis <%== tag
<%== x %> is syntactic sugar for <%= raw(x) %>
Signed-off-by: Michael Koziarski michael@koziarski.com
[#5918 status:committed]Conflicts:
actionpack/test/controller/new_base/render_template_test.rbhttps://github.com/rails/rails/commit/ea1fde6ae750b78bfc58259fcdb7d...
-
-
Fjan November 23rd, 2010 @ 10:52 PM
This on is already out in 3.0.3 and working fine, ticket can be closed.
-
Rohit Arondekar December 12th, 2010 @ 02:20 AM
- State changed from “new” to “resolved”
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
People watching this ticket
Jeremy Kemper
Michael Koziarski
Piotr Sarnacki
Rohit Arondekar
Attachments
Tags
Referenced by
-
5918
[PATCH] Fix Erubis non-escaping sequence to mimic raw()
Signed-off-by: Michael Koziarski
michael@koziarski.com
[#...
-
5918
[PATCH] Fix Erubis non-escaping sequence to mimic raw()
Signed-off-by: Michael Koziarski
michael@koziarski.com
[#...
-
4858
ActionMailer is html escaping plain text messages
Now that my
patch to add a non-escaping option to Erubis...