Andrew Kaspick wrote: > I just wanted to know if others are having this issue, and it sounds > like people are, but I'm still not sure if this is a bug or if this is > the expected behviour for 2.3.8. If this is expected behaviour for > 2.3.8 then this should not have been in a "minor" point release and > instead saved for a 2.4 release or something. Quite disappointing.
I don't know, but my quick test was really quite simple and certainly didn't present the behavior I would have expected from a Rails 2.3.x application: welcome_helper ------------------------ def gotcha_helper content_tag(:script, "alert('Gotcha!')") end index.html.erb ------------------------ <%= h gotcha_helper %> Generated HTML - Rails 2.3.8 ------------------------ <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> <title>untitled</title> </head> <body> <script>alert('Gotcha!')</script> </body> </html> Obviously not escaping is being done here and I see a JS alert dialog. Rails 2.3.5 HTML (in question) ------------------------ <script>alert('Gotcha!')</script> All else being equal I'd call this a bug, but that's just me. Maybe I'm missing something obvious. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-t...@googlegroups.com. To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.