Andrew Kaspick wrote: > Robert Walker wrote: >> Andrew Kaspick wrote: >>> Exactly. I'm not using the rails_xss plugin, but the escaping rules are >>> not as they were in 2.3.5. String literals were "safe" in 2.3.5, but >>> aren't in 2.3.8... a minor difference with huge implications. >> >> I created a quick-n-dirty test app. See the result here: >> >> http://www.ruby-forum.com/topic/214314#new > > 2.3.8 should not require the use of "raw" to do what worked out of the > box in 2.3.5 and every release before that if rails_xss is not > installed. > > 2.3.8>> " ".html_safe? > => false > > That result right there is why "raw" would be required now in 2.3.8 and > not in 2.3.5. String literals in 2.3.8 should not be false... in rails > 3 though that is correct and the expected result.
There are other changes in 2.3.8 that are the cause of the escaping issues, but at the moment my app is not upgradeable to 2.3.8. I just wanted to know if others are having this issue, and it sounds like people are, but I'm still not sure if this is a bug or if this is the expected behviour for 2.3.8. If this is expected behaviour for 2.3.8 then this should not have been in a "minor" point release and instead saved for a 2.4 release or something. Quite disappointing. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
