Andrew Kaspick wrote:
> I just wanted to know if others are having this issue, and it sounds
> like people are, but I'm still not sure if this is a bug or if this is
> the expected behviour for 2.3.8. If this is expected behaviour for
> 2.3.8 then this should not have been in a "minor" point release and
> instead saved for a 2.4 release or something. Quite disappointing.
I don't know, but my quick test was really quite simple and certainly
didn't present the behavior I would have expected from a Rails 2.3.x
application:
welcome_helper
------------------------
def gotcha_helper
content_tag(:script, "alert('Gotcha!')")
end
index.html.erb
------------------------
<%= h gotcha_helper %>
Generated HTML - Rails 2.3.8
------------------------
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml"; xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title>untitled</title>
</head>
<body>
<script>alert('Gotcha!')</script>
</body>
</html>
Obviously not escaping is being done here and I see a JS alert dialog.
Rails 2.3.5 HTML (in question)
------------------------
<script>alert('Gotcha!')</script>
All else being equal I'd call this a bug, but that's just me. Maybe I'm
missing something obvious.
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-t...@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
