All I have so far are models set up... so I'd say that's pretty
minimal.  Would you like to take a look at this, or do I need to pare
it down further?


On Jun 24, 2:53 pm, Bryan Larsen <[email protected]> wrote:
> It's certainly possible that this is a bug in the Hobo taglibs, we may
> have missed a spot when adding Hobo XSS support.   If you can generate
> the bug on a minimal Hobo app, we'd love to take a look.
>
> Bryan
>
>
>
>
>
>
>
> On Fri, Jun 24, 2011 at 2:50 PM, ylluminate <[email protected]> wrote:
> > Interestingly I am building an app presently and in the stock
> > generated links I'm seeing an anomaly.  For example, I added some
> > counties who are parents of cities.  Upon adding a new city, it
> > selected the county appropriately, but emitted the escaped html:
> > Screenshot:http://bit.ly/jIFY87
> > Code:  <span class="county-tag view city-county model::county:1">&lt;a
> > class=&quot;county-link&quot; href=&quot;/counties/1-
> > jackson&quot;&gt;&lt;span class=&quot;view county-name
> > &quot;&gt;Jackson&lt;/span&gt;&lt;/a&gt;</span>
>
> > I've not modified anything in the controllers or views so far.
>
> > On Jun 23, 8:12 am, Bryan Larsen <[email protected]> wrote:
> >> You've run afoul of Rails cross-site scripting protection (XSS).
>
> >> Every part of a string has to be marked as html_safe, if there's just
> >> one part that isn't, you get the behavior you've noticed.
>
> >> <a><%= "John Smith".html_safe %></a>
>
> >> I assume you're using Hobo 1.3 with Rails 3.
>
> >> If you're using Hobo 1.0 with Rails 2.3, turn off XSS protection,
> >> because Hobo 1.0 doesn't support it.
>
> >> Bryan
>
> >> On Thu, Jun 23, 2011 at 2:41 AM, Jim Harvey <[email protected]> wrote:
> >> > I'm having a problem with my links not being recognized as HTML. For
> >> > example, in a table displaying all users, instead of the name with a
> >> > link to the user's profile I see:
>
> >> > <a class="user-link" href="/admin/users/1-john-smith"><span
> >> > class="view user-name">John Smith</span></a>
>
> >> > on the page.
>
> >> > As far as I know I haven't overwritten any of the standard Rapid tags
> >> > that would apply in this situation. There is nothing in
> >> > application.dryml or /admin/users/index.dryml that changes the default
> >> > behavior. Does anyone have any clues as to where I can look to see why
> >> > this escaping is going on? I know that I can overwrite it with a link
> >> > but the above example is not the only place this is happening so I
> >> > want to root out the cause rather than introduce an unknown number of
> >> > patches. Thanks for any help you can give!
>
> >> > Jim
>
> >> > --
> >> > You received this message because you are subscribed to the Google 
> >> > Groups "Hobo Users" group.
> >> > To post to this group, send email to [email protected].
> >> > To unsubscribe from this group, send email to 
> >> > [email protected].
> >> > For more options, visit this group 
> >> > athttp://groups.google.com/group/hobousers?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google Groups 
> > "Hobo Users" group.
> > To post to this group, send email to [email protected].
> > To unsubscribe from this group, send email to 
> > [email protected].
> > For more options, visit this group 
> > athttp://groups.google.com/group/hobousers?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Hobo 
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to 
[email protected].
For more options, visit this group at 
http://groups.google.com/group/hobousers?hl=en.

Reply via email to