Hi there,
if I use the form_tag helper every html command within that helper block gets escaped and is not been recognized by the browser as a tag.
Is that a bug or a feature? On irc nobody had a answer.
Example:
<% form_tag do %>
<div></div>
<% end %>
i tried this with rails 2.3.7 and 2.3.8. Everytime the same problem.
On rails 2.3.5 everthing works fine.
This was a bug in 2.3.7 and is not supposed to be the case in 2.3.8. Please ensure your application really is using 2.3.8.
I'm still seeing problems with the 2.3.8 gems, in particular if the output from a Rails helper is concatenated with a fixed string:
def test1 "test1<br>test1<br>" end
def test2 link_to_function("test2", "alert('test2')") + "<br>test2<br>" end
Then if a view has:
<%= test1 %> <%= test2 %>
With 2.3.5 and earlier the HTML output is correct:
test1<br>test1<br> <a href="#" onclick="alert('test2'); return false;">test2</a><br>test2<br>
But with 2.3.8 the literal string appended to the helper results is incorrectly escaped:
test1<br>test1<br> <a href="#" onclick="alert('test2'); return false;">test2</a><br>test2<br>
Of course this is what we expect if using Rails 3 or the rails_xss plugin, but it is not expected from the 2.3.8 upgrade (with rails_xss not installed).
I've confirmed I have 2.3.8 installed - frozen in, and the top entry in the actionpack changelog is "* HTML safety: fix compatibility *without* the optional rails_xss plugin."
There is already a patch for that in 2.3.9 https://rails.lighthouseapp.com/projects/8994/tickets/4695-string-added-to-rails_helpers-gets-html-escaped -j