New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HTML escaping not working for haml_concat in haml_tag block #718
Comments
This is the correct behavior, haml_concat outputs should not be escaped when are inside a haml_tag block. When xss safe is enabled the haml_tag implementation is the following: def haml_tag_with_haml_xss(name, *rest, &block)
name = haml_xss_html_escape(name.to_s)
rest.unshift(haml_xss_html_escape(rest.shift.to_s)) unless [Symbol, Hash, NilClass].any? {|t| rest.first.is_a? t}
with_raw_haml_concat {haml_tag_without_haml_xss(name, *rest, &block)}
end The docs explanation for with_raw_haml_concat is explaining why it is needed. |
This does seem like a bug. I believe it's happening because the outer call to |
The old value of _haml_concat_raw was not being set correctly, hence calls to haml_concat after a call to haml_tag would result in the output of haml_concat being appeneded unescaped. Resolves #718
Before this commit, haml_tag relied on haml_concat to write its output. This created a problem when XSS protection was in use - the tags themselves needed not to be escaped, but the tags contents should be escaped. The current workaround used the with_raw_haml_concat method to set a flag to control whether haml_concat should be escaped, but this is too crude and results in any use of haml_concat inside a block passed to haml_tag not being escaped when it should. Create new private methods in Helpers to allow more control of writing to the buffer, and change haml_tag to use them so that haml_tag and haml_concat behave correctly when XSS protection is in use. Also alter haml_concat_with_haml_xss so it still respects with_raw_haml_concat. See #718, #731, #732
HTML escaping does not work when haml_concat is used in a haml_tag block. I reproduced this behaviour in a newly generated rails application (Rails 3.2.15, Ruby 1.9.3-p448, Haml 4.0.2):
Consider the following oneliner view app/views/welcome/index.html.haml:
-haml_concat_test
and the following method in app/helpers/welcome_helper.rb:
The following HTML will be generated:
The '<' and '>' chars of the content inside the haml_tag span have been escaped correctly. However the content added with haml_concat has not been escaped. When opening this view the alert "Evil2" pops up and the text 'Bold!' appears bold.
Why doesn't haml escape the contents when using haml_concat inside of a haml_tag block? Do we need to enable escaping globally anywhere?
Thanks a lot in advance,
Jesko
The text was updated successfully, but these errors were encountered: