-
-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
View and presenters auto escape #60
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
1 similar comment
|
||
**ATTENTION:** In order to prevent XSS attacks, please read the instructions below. | ||
Because Lotus::View supports a lot of template engines, the escape happens at the level of the view. | ||
Most of the times everything happens automatically, but there are still some corner cases that need your manual intervention. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Small typo - 'time' instead of 'times'
👍 |
1 similar comment
👍 |
3 similar comments
Love it. |
+1 |
jodosha
added a commit
that referenced
this pull request
Feb 22, 2015
View and presenters auto escape
timriley
added a commit
that referenced
this pull request
Mar 15, 2020
…utes Decorate truthy part attributes only
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Starting from now, the output of views and presenters is always autoescaped.
Because Lotus::View supports a lot of template engines, the escape happens at the level of the view and it doesn't delegate to ERB or HAML.
Most of the time everything happens automatically, but there are still some corner cases that need developer's manual intervention.
View autoescape
Presenter autoescape
Escape entire objects
We have seen that concrete methods are in views are automatically escaped.
This is great, but tedious if you need to print a lot of informations from a given object.
Imagine to have
user
as part of the view locals.If you want to use
<%= user.name %>
directly, you're still vulnerable to XSS attacks.You have two alternatives to fix the problem:
UserPresenter
, example above)Both those solutions allow you to keep the template syntax unchanged (
<%= user.name %>
), but to get a safe output.Raw contents
You can use
_raw
to mark an output as safe.Please note that this may open your application to XSS attacks.
Raw contents in views
Raw contents in presenters