Problem: Form Helper HTML Command Escaping

Hi there,

if I use the form_tag helper every html command within that helper
block gets escaped and is not been recognized by the browser as a tag.

Is that a bug or a feature? On irc nobody had a answer.


<% form_tag do %>


<% end %>

i tried this with rails 2.3.7 and 2.3.8. Everytime the same problem.

On rails 2.3.5 everthing works fine.

This was a bug in 2.3.7 and is not supposed to be the case in 2.3.8. Please ensure your application really is using 2.3.8.

I'm still seeing problems with the 2.3.8 gems, in particular if the
output from a Rails helper is concatenated with a fixed string:

  def test1

  def test2
    link_to_function("test2", "alert('test2')") + "<br>test2<br>"

Then if a view has:

<%= test1 %>
<%= test2 %>

With 2.3.5 and earlier the HTML output is correct:

<a href="#" onclick="alert('test2'); return false;">test2</a><br>test2<br>

But with 2.3.8 the literal string appended to the helper results is
incorrectly escaped:

<a href="#" onclick="alert('test2'); return

Of course this is what we expect if using Rails 3 or the rails_xss
plugin, but it is not expected from the 2.3.8 upgrade (with rails_xss
not installed).

I've confirmed I have 2.3.8 installed - frozen in, and the top entry
in the actionpack changelog is "* HTML safety: fix compatibility
*without* the optional rails_xss plugin."

There is already a patch for that in 2.3.9