contents of ``<repeat>`` are html-escaped
Reported by Tomoaki Hayasaka | October 4th, 2010 @ 08:54 PM | in Hobo 1.3 (Rails 3)
Similar to #808, contents of <repeat>
are
html-escaped.
For example in Agility,
Assigned users: <repeat:users join=", "><a/></repeat><else>None</else>
in /users or /story/1 is rendered as
Assigned users: <a class="user-link" href="/users/1-tomoaki-hayasaka"><span class="view user-name ">Tomoaki Hayasaka</span></a>
Possible fix is
diff --git a/dryml/taglibs/core.dryml b/dryml/taglibs/core.dryml
index 496e0a9..28b79c9 100644
--- a/dryml/taglibs/core.dryml
+++ b/dryml/taglibs/core.dryml
@@ -47,7 +47,7 @@ For example, you might want to wrap an `<img>` tag in an `<a>` tag but only unde
raise ArgumentError, "Cannot <repeat> on #{this.inspect}" unless this.respond_to? :each
context_map do
parameters.default
- end.safe_join(join)
+ end.safe_join(join && join.html_safe)
%></if></def>
...
.
Comments and changes to this ticket
-
Domizio Demichelis October 4th, 2010 @ 11:55 PM
- State changed from new to open
- Milestone set to Hobo 1.3 (Rails 3)
- Assigned user set to Domizio Demichelis
- Milestone order changed from 197906 to 0
We should not automatically escape the join attribute value, which might be not-safe. The user should provide a html_safe value for it OR the join value (but only the join value) should be escaped internally.
I changed the logic of safe_join, so it works and is safe.
-
Tom Locke October 4th, 2010 @ 11:56 PM
- State changed from open to resolved
(from [5bf6b6402c045aad4fc86bfb5c6f9ea19160fe46]) xss: improved the safe_join logic [#822 state:resolved] http://github.com/tablatom/hobo/commit/5bf6b6402c045aad4fc86bfb5c6f...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
People watching this ticket
Referenced by
- 822 contents of ``<repeat>`` are html-escaped (from [5bf6b6402c045aad4fc86bfb5c6f9ea19160fe46]) xss: im...