#714 Problem with attribute escaping (sanitized.rb) +patch - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#714 ✓duplicate

Problem with attribute escaping (sanitized.rb) +patch

Reported by Kieran P | July 28th, 2008 @ 07:21 AM | in 2.x

When you have a URL with an ampersand in an attribute, it is escape each time you edit that field. What happens over time is the escaped ampersand also get escaped, resulting in something like this:

&amp;

&amp;amp;

etc

When used in conjunction with things like TinyMCE, it makes it impossible to have links (that is, <a href=""> tags with an & in the href attribute) in the body.

(note though that this does happen without TinyMCE, but its more noticeable with TinyMCE because it escapes URLs automatically before it gets to Rails, so the link is broken when a record is made).

I have an attached a simple fix which when applied to my code, fixed all the problems I encountered. Basically, you turn & to & and back to &. How this fixes the issue is already escaped data is changed back, and then re-escaped, preventing escape build up.

Hope this helps.

Comments and changes to this ticket

josh October 28th, 2008 @ 04:34 PM
- State changed from “new” to “stale”
Staling out, please reopen if this is still a problem.
You flagged this item as spam.
Kieran P October 28th, 2008 @ 08:30 PM
- Assigned user set to “josh”
The issue still exists. The patch above is still valid.
You flagged this item as spam.
Walter McGinnis October 28th, 2008 @ 08:40 PM
+1 On Oct 29, 2008, at 9:30 AM, Lighthouse wrote:
You flagged this item as spam.
John Burmeister October 30th, 2008 @ 12:17 AM
- Tag changed from “2.1, actionpack, bug, patch, sanitized, tiny” to “2.1, 2.2, actionpack, bug, patch, sanitize, sanitized, tiny”
Patch works great, please fix. +1
josh November 2nd, 2008 @ 04:19 PM
- State changed from “stale” to “open”
- Assigned user cleared.
You flagged this item as spam.
theflow November 6th, 2008 @ 11:14 AM
this is duplicate of #683 (which proposes the same solution and includes a test)
Pratik March 6th, 2009 @ 07:21 PM
- State changed from “open” to “duplicate”

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Shared Ticket Bins (Sort)

↓↑ drag 455 Open Bugs
↓↑ drag 0 Recent Open Tickets
↓↑ drag 87 Open Patches
↓↑ drag 0 Open Doc Patches
↓↑ drag 542 Stale Tickets
↓↑ drag 3 Verified Patches
↓↑ drag 87 Stale Patches
↓↑ drag 0 Yesterday's Tickets
↓↑ drag 0 Two Days Ago
↓↑ drag 0 This Week
↓↑ drag 0 Last Week
↓↑ drag 7 Bugmash
↓↑ drag 0 Bugmash review queue
↓↑ drag 5 Rails 3 High Priority Tickets

People watching this ticket

Attachments

patch.txt 799 Bytes

Rails Ruby on Rails → 2.x