Robert Walker wrote: > Andrew Kaspick wrote: >> I'm upgrading an app from 2.3.5 to 2.3.8 and there are many spots where >> previous code was output correctly and now it expects html_safe method >> calls to properly escape the strings. Are those who don't want to use >> the new escaping behaviour in the 2.3.x branch expected to stick with >> 2.3.5 from now on moving forward? > > I haven't yet done the conversion of my 2.3.5 app to 2.3.8, will > hopefully do so soon. I intend to do this as a first step in preparing > it for Rails 3. However, as I understand it nothing should change in the > escaping unless you install the rails_xss. > > In fact that was the problem with 2.3.6 & 2.3.7. Version 2.3.6 > introduced a problem discovered by the HAML guys, and 2.3.7 was a hasty > fix for that, which broken stuff for everyone else. Version 2.3.8 was > supposed to get things back to normal.
Exactly. I'm not using the rails_xss plugin, but the escaping rules are not as they were in 2.3.5. String literals were "safe" in 2.3.5, but aren't in 2.3.8... a minor difference with huge implications. I was looking at hacking the rails code to fix this for my local app, but wasn't sure why this would even still be a problem for 2.3.8 when this release was supposed to "fix" the fiasco that was 2.3.6 and 2.3.7. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
