#822 contents of ``<repeat>`` are html-escaped - Hobo

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#822 ✓resolved

contents of ``<repeat>`` are html-escaped

Reported by Tomoaki Hayasaka | October 4th, 2010 @ 08:54 PM | in Hobo 1.3 (Rails 3)

Similar to #808, contents of <repeat> are html-escaped.

For example in Agility,

Assigned users: <repeat:users join=", "><a/></repeat><else>None</else>

in /users or /story/1 is rendered as

Assigned users: &lt;a class=&quot;user-link&quot; href=&quot;/users/1-tomoaki-hayasaka&quot;&gt;&lt;span class=&quot;view user-name &quot;&gt;Tomoaki Hayasaka&lt;/span&gt;&lt;/a&gt;

Possible fix is

diff --git a/dryml/taglibs/core.dryml b/dryml/taglibs/core.dryml
index 496e0a9..28b79c9 100644
--- a/dryml/taglibs/core.dryml
+++ b/dryml/taglibs/core.dryml
@@ -47,7 +47,7 @@ For example, you might want to wrap an `<img>` tag in an `<a>` tag but only unde
   raise ArgumentError, "Cannot <repeat> on #{this.inspect}" unless this.respond_to? :each
   context_map do
     parameters.default
-  end.safe_join(join)
+  end.safe_join(join && join.html_safe)
 %></if></def>
 
 
...

Comments and changes to this ticket

Domizio Demichelis October 4th, 2010 @ 11:55 PM
- State changed from “new” to “open”
- Milestone set to “Hobo 1.3 (Rails 3)”
- Assigned user set to “Domizio Demichelis”
- Milestone order changed from “197906” to “0”
We should not automatically escape the join attribute value, which might be not-safe. The user should provide a html_safe value for it OR the join value (but only the join value) should be escaped internally.

I changed the logic of safe_join, so it works and is safe.
Tom Locke October 4th, 2010 @ 11:56 PM
- State changed from “open” to “resolved”
(from [5bf6b6402c045aad4fc86bfb5c6f9ea19160fe46]) xss: improved the safe_join logic [#822 state:resolved] http://github.com/tablatom/hobo/commit/5bf6b6402c045aad4fc86bfb5c6f...
Domizio Demichelis October 5th, 2010 @ 12:51 AM
fixed and improved tests in 0b6dbc11ea

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Shared Ticket Bins (Sort)

↓↑ drag 97 New Tickets
↓↑ drag 1 Investigating (does not appear in totals)
↓↑ drag 76 No milestone assigned
↓↑ drag 128 Missing ticket-type
↓↑ drag 2 ------------------------
↓↑ drag 0 1.X High Priority
↓↑ drag 41 1.X Defects
↓↑ drag 20 1.X Enhancements
↓↑ drag 4 1.X Needs Test Case
↓↑ drag 1 1.X Clean-Up
↓↑ drag 2 1.X Testing
↓↑ drag 3 1.X Compatibility
↓↑ drag 9 1.X Doc
↓↑ drag 203 1.1 TOTAL
↓↑ drag 13 1.0 TOTAL
↓↑ drag 13 1.3 TOTAL
↓↑ drag 192 Beyond 1.0
↓↑ drag 1 stale
↓↑ drag 4 Needs Clarification

People watching this ticket

Domizio Demichelis

Referenced by

822 contents of ``<repeat>`` are html-escaped (from [5bf6b6402c045aad4fc86bfb5c6f9ea19160fe46]) xss: im...

Hobo Hobo → Hobo 1.3 (Rails 3)

New Billing System

contents of ``<repeat>`` are html-escaped

Comments and changes to this ticket

Domizio Demichelis October 4th, 2010 @ 11:55 PM

Tom Locke October 4th, 2010 @ 11:56 PM

Domizio Demichelis October 5th, 2010 @ 12:51 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Referenced by

Pages

Hobo Hobo → Hobo 1.3 (Rails 3)

New Billing System

Keyword searching

contents of ``<repeat>`` are html-escaped

Comments and changes to this ticket

Domizio Demichelis October 4th, 2010 @ 11:55 PM

Tom Locke October 4th, 2010 @ 11:56 PM

Domizio Demichelis October 5th, 2010 @ 12:51 AM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Referenced by

Pages