[Rails] Re: rails 2.3.8 and html_safe

Andrew Kaspick wrote: > I just wanted to know if others are having this issue, and it sounds > like people are, but I'm still not sure if this is a bug or if this is > the expected behviour for 2.3.8. If this is expected behaviour for > 2.3.8 then this should not have been in a "minor" point re

[Rails] Re: rails 2.3.8 and html_safe

Andrew Kaspick wrote: > Robert Walker wrote: >> Andrew Kaspick wrote: >>> Exactly. I'm not using the rails_xss plugin, but the escaping rules are >>> not as they were in 2.3.5. String literals were "safe" in 2.3.5, but >>> aren't in 2.3.8... a minor difference with huge implications. >> >> I c

[Rails] Re: rails 2.3.8 and html_safe

Robert Walker wrote: > Andrew Kaspick wrote: >> Exactly. I'm not using the rails_xss plugin, but the escaping rules are >> not as they were in 2.3.5. String literals were "safe" in 2.3.5, but >> aren't in 2.3.8... a minor difference with huge implications. > > I created a quick-n-dirty test ap

[Rails] Re: rails 2.3.8 and html_safe

Andrew Kaspick wrote: > Exactly. I'm not using the rails_xss plugin, but the escaping rules are > not as they were in 2.3.5. String literals were "safe" in 2.3.5, but > aren't in 2.3.8... a minor difference with huge implications. I created a quick-n-dirty test app. See the result here: http:

[Rails] Re: rails 2.3.8 and html_safe

Robert Walker wrote: > Andrew Kaspick wrote: >> I'm upgrading an app from 2.3.5 to 2.3.8 and there are many spots where >> previous code was output correctly and now it expects html_safe method >> calls to properly escape the strings. Are those who don't want to use >> the new escaping behaviour i

[Rails] Re: rails 2.3.8 and html_safe

Andrew Kaspick wrote: > I'm upgrading an app from 2.3.5 to 2.3.8 and there are many spots where > previous code was output correctly and now it expects html_safe method > calls to properly escape the strings. Are those who don't want to use > the new escaping behaviour in the 2.3.x branch expected

[Rails] Re: rails 2.3.8 and html_safe

I just hit a similar problem where I was concatenating strings with escapable characters within a formbuilder. I googled about and there seems to be a some logic being discussed that anything that is "magic security" is going to be a nightmare. My problems were quite isolated (the great thing abo