I'll check, thanks for the reply jk
2011/2/10 Santiago Pastorino <[email protected]> > This commit > https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf > just changes from html_escape string to ERB::Util.html_escape(string) > so both are calling the same method. > > You're talking about this one > > https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 > and this fix a security issue. I'd say that you're missing a html_safe > some where. > > On Thu, Feb 10, 2011 at 10:54 AM, Joaquin Rivera Padron > <[email protected]> wrote: > > > > commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf > > Author: Santiago Pastorino <[email protected]> > > Date: Tue Nov 2 20:18:22 2010 -0200 > > Call as ERB::Util.html_escape since is not the module is not included > > here > > > > 2011/2/10 Joaquin Rivera Padron <[email protected]> > >> > >> hi, > >> I diff-ed 3.0.0 with 3.0.1 and I got this > >> diff --git > a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> index 142cd08..fb2118a 100644 > >> --- a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> +++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb > >> @@ -17,7 +17,7 @@ module ActionDispatch > >> # > >> ...skipping... > >> buffer = with_output_buffer { value = yield(*args) } > >> if string = buffer.presence || value and string.is_a?(String) > >> - NonConcattingString.new(string) > >> + NonConcattingString.new(ERB::Util.html_escape(string)) > >> end > >> end > >> if I put bac k the NonConcattingString.new(string) it works (at least > for > >> me) > >> don't know the implications though, wdyt? > >> jk > >> 2011/2/10 Joaquin Rivera Padron <[email protected]> > >>> > >>> yes, if by 3-0-stable you mean 3.0.0, yes it works > >>> thanks for the "ping offer", I'll let you know if anything, but I won't > >>> (can't) be full time chasing the bug :-( > >>> jk > >>> > >>> 2011/2/10 Santiago Pastorino <[email protected]> > >>>> > >>>> Great, ping me if I can help you. > >>>> BTW did you tried 3-0-stable? > >>>> > >>>> On Thu, Feb 10, 2011 at 9:51 AM, Joaquin Rivera Padron > >>>> <[email protected]> wrote: > >>>> > for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2 > >>>> > ok is 3.0.1, will keep digging then > >>>> > jk > >>>> > > >>>> > 2011/2/9 Brian Morearty <[email protected]> > >>>> >> > >>>> >> Yes, I saw something similar when I upgraded to 3.0.4 this morning. > I > >>>> >> didn't have a chance to debug it so for the moment I went back to > >>>> >> 3.0.1. I wasn't sure if it was my doing so I didn't say anything on > >>>> >> this list. > >>>> >> > >>>> >> I have a helper function that returns an HTML string. The function > >>>> >> calls .html_safe before returning. That worked in 3.0.1 but in > 3.0.4 > >>>> >> it is being escaped in the output. > >>>> >> > >>>> >> I also tried adding .html_safe to the .html.erb file (double-safe > it) > >>>> >> but to no avail. > >>>> >> > >>>> >> I was not able to reproduce it in a simple case though, even in > very > >>>> >> same function. > >>>> >> > >>>> >> Brian > >>>> >> > >>>> >> > >>>> >> On Feb 9, 1:06 pm, Joaquin Rivera Padron <[email protected]> > wrote: > >>>> >> > hello, > >>>> >> > I have today updated my rails app to 3.0.4 security release but > now > >>>> >> > this > >>>> >> > > >>>> >> > yield :javascripts > >>>> >> > > >>>> >> > fails in the layout and I get my custom js escaped as text in the > >>>> >> > view. > >>>> >> > > >>>> >> > anybody seeing this also? > >>>> >> > > >>>> >> > tia, > >>>> >> > jk > >>>> >> > > >>>> >> > --www.least-significant-bit.com > >>>> >> > >>>> >> -- > >>>> >> You received this message because you are subscribed to the Google > >>>> >> Groups > >>>> >> "Ruby on Rails: Core" group. > >>>> >> To post to this group, send email to > >>>> >> [email protected]. > >>>> >> To unsubscribe from this group, send email to > >>>> >> [email protected]. > >>>> >> For more options, visit this group at > >>>> >> http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> >> > >>>> > > >>>> > > >>>> > > >>>> > -- > >>>> > www.least-significant-bit.com > >>>> > > >>>> > -- > >>>> > You received this message because you are subscribed to the Google > >>>> > Groups > >>>> > "Ruby on Rails: Core" group. > >>>> > To post to this group, send email to > >>>> > [email protected]. > >>>> > To unsubscribe from this group, send email to > >>>> > [email protected]. > >>>> > For more options, visit this group at > >>>> > http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> > > >>>> > >>>> -- > >>>> You received this message because you are subscribed to the Google > >>>> Groups "Ruby on Rails: Core" group. > >>>> To post to this group, send email to > [email protected]. > >>>> To unsubscribe from this group, send email to > >>>> [email protected]. > >>>> For more options, visit this group at > >>>> http://groups.google.com/group/rubyonrails-core?hl=en. > >>>> > >>> > >>> > >>> > >>> -- > >>> www.least-significant-bit.com > >> > >> > >> > >> -- > >> www.least-significant-bit.com > > > > > > > > -- > > www.least-significant-bit.com > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Ruby on Rails: Core" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > > http://groups.google.com/group/rubyonrails-core?hl=en. > > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Core" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/rubyonrails-core?hl=en. > > -- www.least-significant-bit.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
