XSS and partials in Rails 2.3.7

Rails
1

Hey all,

Just wondering if there is any reason that the new XSS safety code in
2.3.7 is escaping my partials. That don’t seem right!

I’ve overcome it temporarily by throwing in a “raw” like this:
<%= render raw :partial => ‘mypartial’ %>

It’s also escaping any inline tags in the templates. (This
may be by design, I dunno.)

In advance of some responses that might come from this question, I’ve
already read the update I’ve copied below and don’t think it applies
here since I installed the rails_xss plugin.

TIA,
Dee

“Update: fixing compatibility with the rails_xss plugin broke HTML-
safety for apps that don’t use rails_xss. We’re sorry, all: HTML-
safety is meant to be opt-in! The fix is available now in 2.3.8.pre1
and will be released shortly.”

2

Sorry, I had a little typo in my code. That should read:
<%= raw render :partial => ‘mypartial’ %>

(Note the order in which raw is called.)

3

On Mon, May 24, 2010 at 5:38 PM, Dee [email protected] wrote:

Just wondering if there is any reason that the new XSS safety code in
2.3.7 is escaping my partials. That don’t seem right!

Definitely not right! Are you using the latest rails_xss plugin from
GitHub - rails/rails_xss: A plugin for rails 2.3 apps which switches the default to escape by default ?

jeremy

4

Yes,. I installed it yesterday after 2.3.7 because it was recommended.
I have since upgraded to 2.3.8.pre1 (which still reports it is 2.3.7
btw) and get similar results as before.

I have since noticed it not all of the partials that are getting
escaped, just the ones being called inside a content_for block. Easy
repro. That might be the key, eh? It still doesn’t seem right.