hello,
I have today updated my rails app to 3.0.4 security release but now this
yield :javascripts
fails in the layout and I get my custom js escaped as text in the view.
anybody seeing this also?
tia,
jk
Yes, I saw something similar when I upgraded to 3.0.4 this morning. I didn't have a chance to debug it so for the moment I went back to 3.0.1. I wasn't sure if it was my doing so I didn't say anything on this list.
I have a helper function that returns an HTML string. The function calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4 it is being escaped in the output.
I also tried adding .html_safe to the .html.erb file (double-safe it) but to no avail.
I was not able to reproduce it in a simple case though, even in very same function.
Brian
for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2
ok is 3.0.1, will keep digging then
jk
Great, ping me if I can help you. BTW did you tried 3-0-stable?
yes, if by 3-0-stable you mean 3.0.0, yes it works
thanks for the “ping offer”, I’ll let you know if anything, but I won’t (can’t) be full time chasing the bug 
jk
hi,
I diff-ed 3.0.0 with 3.0.1 and I got this
diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
index 142cd08…fb2118a 100644
— a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
+++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb
@@ -17,7 +17,7 @@ module ActionDispatch
commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf
Author: Santiago Pastorino santiago@wyeworks.com
Call as ERB::Util.html_escape since is not the module is not included here
hi, I diff-ed 3.0.0 with 3.0.1 and I got this
sorry I meant diff-ed 3.0.1 to 3.0.2
I’ll try to run the tests in 3.0.2 with that change to see if (what) breaks
This commit https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf just changes from html_escape string to ERB::Util.html_escape(string) so both are calling the same method.
You're talking about this one https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834 and this fix a security issue. I'd say that you're missing a html_safe some where.
I’ll check, thanks for the reply
jk
you are totally right, I was missing a html_safe 
this is wrong as now:
content_for :js do
<<JS
JS
end
this is ok:
js = <<JS
JS
content_for :js do
js.html_safe
end
thanks a lot
jk
The change that Santiago mentioned (https://github.com/rails/rails/ commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes content_tag always to escape its output, even when the 'escape' parameter is set to false. However, from my experiments it seems the 'escape' parameter wasn't working before the change either. Instead of always escaping the output, content_tag was never escaping the output.
In a 3.0.1 Rails project the output is never escaped but html_safe? always returns true:
rails console Loading development environment (Rails 3.0.1) ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>' end).html_safe? => true ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do '<b>hello</b>' end).html_safe? => true ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do '<b>hello</b>' end).html_safe? => true
In a Rails 3.0.2 project the content is always escaped and html_safe? always returns true:
rails console Loading development environment (Rails 3.0.2) ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>' end).html_safe? => true ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do '<b>hello</b>' end).html_safe? => true ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do '<b>hello</b>' end => "<div><b>hello</b></div>" ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do '<b>hello</b>' end).html_safe? => true
So at least in Rails 3.0.2 the html_safe? function is reporting the truth. But content_tag escapes the output even when escape=false (see the last two lines).
I would submit a patch but I'm not sure what the right fix is.
Brian Morearty
Hey Brian,
I think we should remove the escape parameter at least here https://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450d4f458f/actionpack/lib/action_view/helpers/form_tag_helper.rb#L303. I haven't checked it in other places but I that guess could be removed too, so if you want to go ahead do it and deprecate it for 3-0-stable. We should use html_safe when you need to not escape.
Best, Santiago.
Thanks, Santiago. I will submit a patch to deprecate the escape param/ option.
I've created a ticket to track it:
Brian
The patch is done, tested by me, and ready to be vetted by others. If any of you are interested in looking at it, here it is:
The 3 helper functions mentioned above (FormTagHelper#text_area_tag, TagHelper#content_tag, and TagHelper#tag ) will have the following behavior after these patches are applied:
* In 3.0.5, using the 'escape' parameter or option will show a deprecation message. * In 3.1 the 'escape' parameter or option to these 3 methods is removed. The correct way to specify escaping behavior is to call (or not call) html_safe on the parameters. Both the rdoc and the tests are updated.
Please respond if anything looks amiss or if it all looks good.
Brian
