View Tag doesn't work correctly with Rails 3.0.8 - Problem with Rails XSS Protection?
Reported by Lanokata | June 8th, 2011 @ 07:51 PM
I'm using Hobo 1.3.0.RC.
If the view tag is used to show a link to another model, the link will be HTML escaped in Rails 3.0.8
The dryml-Tag:
<view with="&User.first" />
generates the HTML-Code:
<span class="view model::user:1"><a class="user-link" href="/users/1-administrator"><span class="view user-name ">Administrator</span></a></span>
instead of
<span class="view model::user:1"><a class="user-link" href="/users/1-administrator"><span class="view user-name ">Administrator</span></a></span>
The view tag works with Rails 3.0.7 or lesser, but it looks like Rails 3.0.8 has tightened the XSS protection.
Comments and changes to this ticket
-
Matt Jones September 14th, 2011 @ 07:42 PM
- State changed from new to resolved
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป