> The label_tag doesn't escape its input, but returns an html_safe string.
> Is it the expected behaviour ?
No
> At the opposite, textilize("This is worded <strong>strongly</strong>",
> :filter_html) returns a string that is not html_safe, so this string
> will be escaped a second time.
:filter_html isn't enough here some css properties (-moz-binding f.ex)
are an attack vector too. You must use sanitize on the resulting
output if you want to be sure your code will be save.
> How can I know when a string given to an helper will be escaped or not?
Escaping is now idempotent, strings will not be double escaped. So in
general you shouldn't need to know whether it's going to be escaped
> How can I know when a string returned by an helper is html_safe or not?
With the exception of textilize, simple_format and friends, all our
helpers should escape all the output, and return safe strings. Any
cases where I missed this (which I'm sure there are many) are bugs and
should be reported via lighthouse. Can you open a new ticket for your
case and assign it to me with a tag of xss?
The reason I released a plugin for 2.3.x is so we can do this kind of
investigation before shipping XSS protection as a headline feature.
> For the moment, I read Rails code, but I suppose there is a rule of
> thumb for these two questions, just that I'm not clever enough to find
> it. Thanks for your help :)
>
> ++
> Bruno
>
> >
>
--
Cheers
Koz
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---
