New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Escape attributes regardless of whether it's SafeBuffer or not #1028
Conversation
@@ -607,9 +607,12 @@ def haml_tag_if(condition, *tag) | |||
# @param text [String] The string to sanitize | |||
# @return [String] The sanitized string | |||
def html_escape(text) | |||
ERB::Util.html_escape(text) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ActiveSupport monkey-patches this method for html_safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely like seeing the CGI
version vs leaning on ActiveSupport
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just one change of breaking out that test, and you are good-to-merge from my perspective.
@@ -607,9 +607,12 @@ def haml_tag_if(condition, *tag) | |||
# @param text [String] The string to sanitize | |||
# @return [String] The sanitized string | |||
def html_escape(text) | |||
ERB::Util.html_escape(text) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely like seeing the CGI
version vs leaning on ActiveSupport
I think you misunderstood what I meant about the files... let me show you in a next PR. |
Pardon my ignorance here - won't this double escape? # in rails console
Haml::Engine.new("%p{title: html_escape('hi &')}").render
=> "<p title='hi &amp;'></p>\n" That seems incorrect and is causing problems for my app. Should we adopt the Rails fix and only escape the quotes? See rails/rails@v4.2.7...v4.2.7.1 def tag_option(key, value, escape)
if value.is_a?(Array)
value = escape ? safe_join(value, " ") : value.join(" ")
else
value = escape ? ERB::Util.unwrapped_html_escape(value) : value
end
%(#{key}="#{value.gsub(/"/, '"'.freeze)}")
end |
Could you open a separate issue or pull request? Because that is an intended behavior in this PR, it seems like a new feature. Double escaping could happen for many other cases when you escape something where escaping automatically happens, and that place is where you don't need to escape it since Haml 5+. |
Yes, of course, thank you for the quick response! |
Fixes #993, fixes #1019
Like rails helpers fixed in CVE-2016-6316, an attribute should be HTML-escaped even if it's a SafeBuffer.