XSS and partials in Rails 2.3.7

Hey all,

Just wondering if there is any reason that the new XSS safety code in 2.3.7 is escaping my partials. That don't seem right!

I've overcome it temporarily by throwing in a "raw" like this: <%= render raw :partial => 'mypartial' %>

It's also escaping any inline <SCRIPT> tags in the templates. (This may be by design, I dunno.)

In advance of some responses that might come from this question, I've already read the update I've copied below and don't think it applies here since I installed the rails_xss plugin.

TIA, Dee

"Update: fixing compatibility with the rails_xss plugin broke HTML- safety for apps that don’t use rails_xss. We’re sorry, all: HTML- safety is meant to be opt-in! The fix is available now in 2.3.8.pre1 and will be released shortly."

Sorry, I had a little typo in my code. That should read: <%= raw render :partial => 'mypartial' %>

(Note the order in which raw is called.)

Definitely not right! Are you using the latest rails_xss plugin from http://github.com/rails/rails_xss ?


Yes,. I installed it yesterday after 2.3.7 because it was recommended. I have since upgraded to 2.3.8.pre1 (which still reports it is 2.3.7 btw) and get similar results as before.

I have since noticed it not all of the partials that are getting escaped, just the ones being called inside a content_for block. Easy repro. That might be the key, eh? It still doesn't seem right.