Form helper doesn't escape value attribute for values entities #96
Conversation
davydovanton
force-pushed
the
escape-input-value
branch
3 times, most recently
from
ac2e72b
to
c5461e9
Compare
davydovanton
force-pushed
the
escape-input-value
branch
3 times, most recently
from
6d92692
to
591e9ad
Compare
davydovanton
changed the title
| if attribute_name.to_sym == :value | ||
| %(#{ATTRIBUTES_SEPARATOR}#{attribute_name}="#{Hanami::Utils::Escape.html(value)}") | ||
| else | ||
| %(#{ATTRIBUTES_SEPARATOR}#{attribute_name}="#{value}") |
There was a problem hiding this comment.
Shouldn't we escape the value in all cases?
There was a problem hiding this comment.
Probably yes.
Please also consider to use html_attribute instead https://github.com/hanami/utils/blob/ca91c336ffebb43f1632ffd398b4281b3b7315a5/lib/hanami/utils/escape.rb#L453
There was a problem hiding this comment.
We have some attributes like a script. If we escape this attributes we will have a error in layout. What do you think what we should do with this attributes?
There was a problem hiding this comment.
Could we simply make a list of the attributes that need escaping? (like value, title, ...)
There was a problem hiding this comment.
@TiteiKo We can't predict where developers are going to interpolate user's input.
There was a problem hiding this comment.
Alternatively we can make this change in _value:
WDYT?
There was a problem hiding this comment.
@jodosha good idea 👍
davydovanton
force-pushed
the
escape-input-value
branch
2 times, most recently
from
c61c99a
to
f6ed96f
Compare
|
Okay, I updated |
|
@davydovanton I don't understand the difference. Why it can't be in |
davydovanton
force-pushed
the
escape-input-value
branch
from
f6ed96f
to
95feac3
Compare
|
I fixed CI build.
|
|
Also, I checked this in my local app, and all worked correctly 🎉 |
|
@jodosha thanks for help and review 👍 |
Closes hanami/hanami#709