#955 View Tag doesn't work correctly with Rails 3.0.8 - Problem with Rails XSS Protection? - Hobo

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

#955 ✓resolved

View Tag doesn't work correctly with Rails 3.0.8 - Problem with Rails XSS Protection?

Reported by Lanokata | June 8th, 2011 @ 07:51 PM

I'm using Hobo 1.3.0.RC.

If the view tag is used to show a link to another model, the link will be HTML escaped in Rails 3.0.8

The dryml-Tag:

<view with="&User.first" />

generates the HTML-Code:

<span class="view model::user:1">&lt;a class=&quot;user-link&quot; href=&quot;/users/1-administrator&quot;&gt;&lt;span class=&quot;view user-name &quot;&gt;Administrator&lt;/span&gt;&lt;/a&gt;</span>

instead of

<span class="view model::user:1"><a class="user-link" href="/users/1-administrator"><span class="view user-name ">Administrator</span></a></span>

The view tag works with Rails 3.0.7 or lesser, but it looks like Rails 3.0.8 has tightened the XSS protection.

Comments and changes to this ticket

Matt Jones September 14th, 2011 @ 07:42 PM
@Lanokata: it is indeed. :)
Matt Jones September 14th, 2011 @ 07:42 PM
- State changed from “new” to “resolved”

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

Shared Ticket Bins (Sort)

↓↑ drag 97 New Tickets
↓↑ drag 1 Investigating (does not appear in totals)
↓↑ drag 76 No milestone assigned
↓↑ drag 128 Missing ticket-type
↓↑ drag 2 ------------------------
↓↑ drag 0 1.X High Priority
↓↑ drag 41 1.X Defects
↓↑ drag 20 1.X Enhancements
↓↑ drag 4 1.X Needs Test Case
↓↑ drag 1 1.X Clean-Up
↓↑ drag 2 1.X Testing
↓↑ drag 3 1.X Compatibility
↓↑ drag 9 1.X Doc
↓↑ drag 203 1.1 TOTAL
↓↑ drag 13 1.0 TOTAL
↓↑ drag 13 1.3 TOTAL
↓↑ drag 192 Beyond 1.0
↓↑ drag 1 stale
↓↑ drag 4 Needs Clarification

Hobo Hobo

View Tag doesn't work correctly with Rails 3.0.8 - Problem with Rails XSS Protection?

Comments and changes to this ticket

Matt Jones September 14th, 2011 @ 07:42 PM

Matt Jones September 14th, 2011 @ 07:42 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages

Hobo Hobo

Keyword searching

View Tag doesn't work correctly with Rails 3.0.8 - Problem with Rails XSS Protection?

Comments and changes to this ticket

Matt Jones September 14th, 2011 @ 07:42 PM

Matt Jones September 14th, 2011 @ 07:42 PM

Create your profile

Shared Ticket Bins (Sort)

People watching this ticket

Pages