This commit https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf just changes from html_escape string to ERB::Util.html_escape(string) so both are calling the same method.
You're talking about this one https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 and this fix a security issue. I'd say that you're missing a html_safe some where. On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron <[email protected]> wrote: > > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > Author: Santiago Pastorino <[email protected]> > Date: Tue Nov 2 20:18:22 2010 -0200 > Call as ERB::Util.html_escape since is not the module is not included > here > > 2011/2/10 Joaquin Rivera Padron <[email protected]> >> >> hi, >> I diff-ed 3.0.0 with 3.0.1 and I got this >> diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> index 142cd08..fb2118a 100644 >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb >> @@ -17,7 +17,7 @@ module ActionDispatch >> # >> ...skipping... >> buffer = with_output_buffer { value = yield(*args) } >> if string = buffer.presence || value and string.is_a?(String) >> - NonConcattingString.new(string) >> + NonConcattingString.new(ERB::Util.html_escape(string)) >> end >> end >> if I put bac k the NonConcattingString.new(string) it works (at least for >> me) >> don't know the implications though, wdyt? >> jk >> 2011/2/10 Joaquin Rivera Padron <[email protected]> >>> >>> yes, if by 3-0-stable you mean 3.0.0, yes it works >>> thanks for the "ping offer", I'll let you know if anything, but I won't >>> (can't) be full time chasing the bug :-( >>> jk >>> >>> 2011/2/10 Santiago Pastorino <[email protected]> >>>> >>>> Great, ping me if I can help you. >>>> BTW did you tried 3-0-stable? >>>> >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron >>>> <[email protected]> wrote: >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 >>>> > ok is 3.0.1, will keep digging then >>>> > jk >>>> > >>>> > 2011/2/9 Brian Morearty <[email protected]> >>>> >> >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. I >>>> >> didn't have a chance to debug it so for the moment I went back to >>>> >> 3.0.1. I wasn't sure if it was my doing so I didn't say anything on >>>> >> this list. >>>> >> >>>> >> I have a helper function that returns an HTML string. The function >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 >>>> >> it is being escaped in the output. >>>> >> >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe it) >>>> >> but to no avail. >>>> >> >>>> >> I was not able to reproduce it in a simple case though, even in very >>>> >> same function. >>>> >> >>>> >> Brian >>>> >> >>>> >> >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <[email protected]> wrote: >>>> >> > hello, >>>> >> > I have today updated my rails app to 3.0.4 security release but now >>>> >> > this >>>> >> > >>>> >> > yield :javascripts >>>> >> > >>>> >> > fails in the layout and I get my custom js escaped as text in the >>>> >> > view. >>>> >> > >>>> >> > anybody seeing this also? >>>> >> > >>>> >> > tia, >>>> >> > jk >>>> >> > >>>> >> > --www.least-significant-bit.com >>>> >> >>>> >> -- >>>> >> You received this message because you are subscribed to the Google >>>> >> Groups >>>> >> "Ruby on Rails: Core" group. >>>> >> To post to this group, send email to >>>> >> [email protected]. >>>> >> To unsubscribe from this group, send email to >>>> >> [email protected]. >>>> >> For more options, visit this group at >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > www.least-significant-bit.com >>>> > >>>> > -- >>>> > You received this message because you are subscribed to the Google >>>> > Groups >>>> > "Ruby on Rails: Core" group. >>>> > To post to this group, send email to >>>> > [email protected]. >>>> > To unsubscribe from this group, send email to >>>> > [email protected]. >>>> > For more options, visit this group at >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. >>>> > >>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "Ruby on Rails: Core" group. >>>> To post to this group, send email to [email protected]. >>>> To unsubscribe from this group, send email to >>>> [email protected]. >>>> For more options, visit this group at >>>> http://groups.google.com/group/rubyonrails-core?hl=en. >>>> >>> >>> >>> >>> -- >>> www.least-significant-bit.com >> >> >> >> -- >> www.least-significant-bit.com > > > > -- > www.least-significant-bit.com > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
