It's certainly possible that this is a bug in the Hobo taglibs, we may
have missed a spot when adding Hobo XSS support.   If you can generate
the bug on a minimal Hobo app, we'd love to take a look.

Bryan

On Fri, Jun 24, 2011 at 2:50 PM, ylluminate <[email protected]> wrote:
> Interestingly I am building an app presently and in the stock
> generated links I'm seeing an anomaly.  For example, I added some
> counties who are parents of cities.  Upon adding a new city, it
> selected the county appropriately, but emitted the escaped html:
> Screenshot: http://bit.ly/jIFY87
> Code:  <span class="county-tag view city-county model::county:1">&lt;a
> class=&quot;county-link&quot; href=&quot;/counties/1-
> jackson&quot;&gt;&lt;span class=&quot;view county-name
> &quot;&gt;Jackson&lt;/span&gt;&lt;/a&gt;</span>
>
> I've not modified anything in the controllers or views so far.
>
>
>
> On Jun 23, 8:12 am, Bryan Larsen <[email protected]> wrote:
>> You've run afoul of Rails cross-site scripting protection (XSS).
>>
>> Every part of a string has to be marked as html_safe, if there's just
>> one part that isn't, you get the behavior you've noticed.
>>
>> <a><%= "John Smith".html_safe %></a>
>>
>> I assume you're using Hobo 1.3 with Rails 3.
>>
>> If you're using Hobo 1.0 with Rails 2.3, turn off XSS protection,
>> because Hobo 1.0 doesn't support it.
>>
>> Bryan
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jun 23, 2011 at 2:41 AM, Jim Harvey <[email protected]> wrote:
>> > I'm having a problem with my links not being recognized as HTML. For
>> > example, in a table displaying all users, instead of the name with a
>> > link to the user's profile I see:
>>
>> > <a class="user-link" href="/admin/users/1-john-smith"><span
>> > class="view user-name">John Smith</span></a>
>>
>> > on the page.
>>
>> > As far as I know I haven't overwritten any of the standard Rapid tags
>> > that would apply in this situation. There is nothing in
>> > application.dryml or /admin/users/index.dryml that changes the default
>> > behavior. Does anyone have any clues as to where I can look to see why
>> > this escaping is going on? I know that I can overwrite it with a link
>> > but the above example is not the only place this is happening so I
>> > want to root out the cause rather than introduce an unknown number of
>> > patches. Thanks for any help you can give!
>>
>> > Jim
>>
>> > --
>> > You received this message because you are subscribed to the Google Groups 
>> > "Hobo Users" group.
>> > To post to this group, send email to [email protected].
>> > To unsubscribe from this group, send email to 
>> > [email protected].
>> > For more options, visit this group 
>> > athttp://groups.google.com/group/hobousers?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Hobo Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to 
> [email protected].
> For more options, visit this group at 
> http://groups.google.com/group/hobousers?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to