HTML encoding messed up with remotipart

[yasirs]

Some HTML code is messed up due to quotes and the like if AJAX is delivered through remotipart. For a demo, head over to http://shielded-savannah-6910.herokuapp.com/ and look at the encoding in the AJAX responses. Basically, if I have

<% c = '"' %>
<input type="text" value="<%= h c %>">

or

<%= text_field_tag :name, c %>

Then this HTML does not put the value attribute with a double quote if delivered through remotipart, but does the expected thing without remotipart. Remotipart should not change the default behavior of views.

The partial delivered is at https://github.com/yasirs/encoding-demo/blob/hero/app/views/application/_form_partial.html.erb

[yasirs]

The issue seems to be that https://github.com/JangoSteve/remotipart/blob/master/lib/remotipart/render_overrides.rb#L16 uses html_escape_once. However, html_escape_once from Rails can't always escape HTML if it already has escaped entities. (See rails/rails#10032 for a discussion). And we need escaped HTML when securely dealing with arbitrary data (which happens all the time).

[JangoSteve]

Thank you very much for the detailed report and the sample app. I managed to turn this into a test case in remotipart's test suite. It should be fixed now:

JangoSteve/Rails-jQuery-Demo@6c2af5b