rails 3.0.4 broke yield :javascript ?

hello,

I have today updated my rails app to 3.0.4 security release but now this

yield :javascripts

fails in the layout and I get my custom js escaped as text in the view.

anybody seeing this also?

tia,

jk

Yes, I saw something similar when I upgraded to 3.0.4 this morning. I
didn't have a chance to debug it so for the moment I went back to
3.0.1. I wasn't sure if it was my doing so I didn't say anything on
this list.

I have a helper function that returns an HTML string. The function
calls .html_safe before returning. That worked in 3.0.1 but in 3.0.4
it is being escaped in the output.

I also tried adding .html_safe to the .html.erb file (double-safe it)
but to no avail.

I was not able to reproduce it in a simple case though, even in very
same function.

Brian

for me are broken also versions 3.0.4, 3.0.4.rc1, 3.0.3 and 3.0.2

ok is 3.0.1, will keep digging then

jk

Great, ping me if I can help you.
BTW did you tried 3-0-stable?

yes, if by 3-0-stable you mean 3.0.0, yes it works

thanks for the “ping offer”, I’ll let you know if anything, but I won’t (can’t) be full time chasing the bug :frowning:

jk

hi,

I diff-ed 3.0.0 with 3.0.1 and I got this

diff --git a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb

index 142cd08…fb2118a 100644

— a/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb

+++ b/actionpack/lib/action_dispatch/routing/polymorphic_routes.rb

@@ -17,7 +17,7 @@ module ActionDispatch

commit 2c8bff3513b17a8ad55595a61601bfba14ad40bf

Author: Santiago Pastorino santiago@wyeworks.com

Call as ERB::Util.html_escape since is not the module is not included here

hi,
I diff-ed 3.0.0 with 3.0.1 and I got this

sorry I meant diff-ed 3.0.1 to 3.0.2

I’ll try to run the tests in 3.0.2 with that change to see if (what) breaks

This commit https://github.com/rails/rails/commit/2c8bff3513b17a8ad55595a61601bfba14ad40bf
just changes from html_escape string to ERB::Util.html_escape(string)
so both are calling the same method.

You're talking about this one
https://github.com/rails/rails/commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834
and this fix a security issue. I'd say that you're missing a html_safe
some where.

I’ll check, thanks for the reply

jk

you are totally right, I was missing a html_safe :slight_smile:

this is wrong as now:

content_for :js do

<<JS

JS

end

this is ok:

js = <<JS

JS

content_for :js do

js.html_safe

end

thanks a lot

jk

The change that Santiago mentioned (https://github.com/rails/rails/
commit/bb9c58eb4aa637fa75c69c705a9918d6322ff834) also causes
content_tag always to escape its output, even when the 'escape'
parameter is set to false. However, from my experiments it seems the
'escape' parameter wasn't working before the change either. Instead of
always escaping the output, content_tag was never escaping the output.

In a 3.0.1 Rails project the output is never escaped but html_safe?
always returns true:

  rails console
  Loading development environment (Rails 3.0.1)
  ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>'
end
  => "<div><b>hello</b></div>"
  ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>'
end).html_safe?
   => true
  ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end
   => "<div><b>hello</b></div>"
  ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end).html_safe?
   => true
  ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end
   => "<div><b>hello</b></div>"
  ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end).html_safe?
   => true

In a Rails 3.0.2 project the content is always escaped and html_safe?
always returns true:

  rails console
  Loading development environment (Rails 3.0.2)
  ruby-1.8.7-p330 :001 > helper.content_tag :div do '<b>hello</b>' end
   => "<div>&lt;b&gt;hello&lt;/b&gt;</div>"
  ruby-1.8.7-p330 :002 > (helper.content_tag :div do '<b>hello</b>'
end).html_safe?
   => true
  ruby-1.8.7-p330 :003 > helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end
   => "<div>&lt;b&gt;hello&lt;/b&gt;</div>"
  ruby-1.8.7-p330 :004 > (helper.content_tag :div,nil,nil,true do
'<b>hello</b>' end).html_safe?
   => true
  ruby-1.8.7-p330 :005 > helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end
   => "<div>&lt;b&gt;hello&lt;/b&gt;</div>"
  ruby-1.8.7-p330 :006 > (helper.content_tag :div,nil,nil,false do
'<b>hello</b>' end).html_safe?
   => true

So at least in Rails 3.0.2 the html_safe? function is reporting the
truth. But content_tag escapes the output even when escape=false (see
the last two lines).

I would submit a patch but I'm not sure what the right fix is.

Brian Morearty

Hey Brian,

  I think we should remove the escape parameter at least here
https://github.com/rails/rails/blob/e8c870726a67a27965b2a5333a5ecf450d4f458f/actionpack/lib/action_view/helpers/form_tag_helper.rb#L303.
I haven't checked it in other places but I that guess could be removed
too, so if you want to go ahead do it and deprecate it for 3-0-stable.
We should use html_safe when you need to not escape.

Best,
Santiago.

Thanks, Santiago. I will submit a patch to deprecate the escape param/
option.

I've created a ticket to track it:

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions

Brian

The patch is done, tested by me, and ready to be vetted by others. If
any of you are interested in looking at it, here it is:

https://rails.lighthouseapp.com/projects/8994/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions#ticket-6421-5

The 3 helper functions mentioned above (FormTagHelper#text_area_tag,
TagHelper#content_tag, and TagHelper#tag ) will have the following
behavior after these patches are applied:

    * In 3.0.5, using the 'escape' parameter or option will show a
deprecation message.
    * In 3.1 the 'escape' parameter or option to these 3 methods is
removed. The correct way to specify escaping behavior is to call (or
not call) html_safe on the parameters. Both the rdoc and the tests are
updated.

Please respond if anything looks amiss or if it all looks good.

Brian

whoops:

https://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/6421-deprecate-escape-parameteroption-in-three-helper-functions#ticket-6421-5