When generating an HTML tag via TagHelper#tag (or any of the higher-level
tag/form helpers that use it), it is possible to provide an attribute value
that can impact the tag beyond the specified attribute.
An explicit, though contrived, example should illustrate the issue. From
Rails console run:
trusted='good" readonly="readonly'.html_safe; print helper.tag(:input,
:value => trusted)
# => <input value="good" readonly="readonly" /> => nil
I provided a single attribute in the options hash, and yet generated 2
attributes in the output. Regardless of the fact that the calling code
provides the attribute value in a SafeBuffer, I can think of no scenario
worth supporting where you would want this behavior. The "html_safe"-ness
of the value should not allow you to overflow outside of the attribute you
are specifying.
I can describe a real-world scenario (of SafeBuffers containing unescaped
quotes), but I did not want the conversation to get sidetracked into
suggested alternative approaches. The core issue is whether an attribute
value should ever be able to impact the rest of the HTML tag.
I've submitted a pull request that resolves the issue
(https://github.com/rails/rails/pull/7611), but I am curious to hear if
there are valid reasons to support the existing behavior.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-core/-/C0IJN9nuNdIJ.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.
