Just wondering if there is any reason that the new XSS safety code in
2.3.7 is escaping my partials. That don't seem right!
I've overcome it temporarily by throwing in a "raw" like this:
<%= render raw :partial => 'mypartial' %>
It's also escaping any inline <SCRIPT> tags in the templates. (This
may be by design, I dunno.)
In advance of some responses that might come from this question, I've
already read the update I've copied below and don't think it applies
here since I installed the rails_xss plugin.
TIA,
Dee
"Update: fixing compatibility with the rails_xss plugin broke HTML-
safety for apps that don’t use rails_xss. We’re sorry, all: HTML-
safety is meant to be opt-in! The fix is available now in 2.3.8.pre1
and will be released shortly."
Yes,. I installed it yesterday after 2.3.7 because it was recommended.
I have since upgraded to 2.3.8.pre1 (which still reports it is 2.3.7
btw) and get similar results as before.
I have since noticed it not all of the partials that are getting
escaped, just the ones being called inside a content_for block. Easy
repro. That might be the key, eh? It still doesn't seem right.
