Robert Walker wrote:
Andrew Kaspick wrote:
I'm upgrading an app from 2.3.5 to 2.3.8 and there are many spots where
previous code was output correctly and now it expects html_safe method
calls to properly escape the strings. Are those who don't want to use
the new escaping behaviour in the 2.3.x branch expected to stick with
2.3.5 from now on moving forward?
I haven't yet done the conversion of my 2.3.5 app to 2.3.8, will
hopefully do so soon. I intend to do this as a first step in preparing
it for Rails 3. However, as I understand it nothing should change in the
escaping unless you install the rails_xss.
In fact that was the problem with 2.3.6 & 2.3.7. Version 2.3.6
introduced a problem discovered by the HAML guys, and 2.3.7 was a hasty
fix for that, which broken stuff for everyone else. Version 2.3.8 was
supposed to get things back to normal.
Exactly. I'm not using the rails_xss plugin, but the escaping rules are
not as they were in 2.3.5. String literals were "safe" in 2.3.5, but
aren't in 2.3.8... a minor difference with huge implications.
I was looking at hacking the rails code to fix this for my local app,
but wasn't sure why this would even still be a problem for 2.3.8 when
this release was supposed to "fix" the fiasco that was 2.3.6 and 2.3.7.