-
-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Form helper doesn't escape value attribute for values entities #96
Conversation
ac2e72b
to
c5461e9
Compare
6d92692
to
591e9ad
Compare
if attribute_name.to_sym == :value | ||
%(#{ATTRIBUTES_SEPARATOR}#{attribute_name}="#{Hanami::Utils::Escape.html(value)}") | ||
else | ||
%(#{ATTRIBUTES_SEPARATOR}#{attribute_name}="#{value}") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we escape the value in all cases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably yes.
Please also consider to use html_attribute
instead https://github.com/hanami/utils/blob/ca91c336ffebb43f1632ffd398b4281b3b7315a5/lib/hanami/utils/escape.rb#L453
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We have some attributes like a script
. If we escape this attributes we will have a error in layout. What do you think what we should do with this attributes?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we simply make a list of the attributes that need escaping? (like value
, title
, ...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@TiteiKo We can't predict where developers are going to interpolate user's input.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alternatively we can make this change in _value
:
def _value(name) |
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jodosha good idea 👍
c61c99a
to
f6ed96f
Compare
Okay, I updated |
@davydovanton I don't understand the difference. Why it can't be in |
f6ed96f
to
95feac3
Compare
I fixed CI build.
|
Also, I checked this in my local app, and all worked correctly 🎉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
@jodosha thanks for help and review 👍 |
Closes hanami/hanami#709