-
Notifications
You must be signed in to change notification settings - Fork 508
-
Notifications
You must be signed in to change notification settings - Fork 508
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Method to Disable Rendering with Safebuffer #1238
Comments
+1 I'm rendering a raw HTML template to make an index.html file inside a Dropbox folder. I'm currently hacking around it with:
but I'd much rather be able to pass I'll try to throw a pull request together if it seems reasonable. UPDATE: I think escape_html and a global flag per @basex could be handled generally the same way within the engine. |
@skade what are your thoughts on this? I think that allowing users to disable the use of SafeBuffer makes sense. /cc @padrino/core-members |
I see no reason not to allow it to be disabled if the user wants... On Wed, Apr 10, 2013 at 3:47 PM, Darío Javier Cravero
|
I was thinking about the implementation for this... Would it be a good idea to provide a |
I am not really convinced. Wouldn't it be better to just make the helpers in question just generate |
Yeah @skade, something along those lines was my initial proposition to @basex too but some people may still want to fully disable this feature instead of wrapping it around with helpers. Of course they need to understand the security issues associated with it, but that's up to them too. |
@skade My specific issue is that an entire template is getting escaped. In my example above, 'ui/views/templates/index.html.erb' is (excerpt):
That's generating "<html>" (and so on.) I could convert that to a String and html_safe it, but it seems indirect. I'd rather just have the option to pass escape_html: false to the engine. |
This is preventing me from upgrading to 0.11. Please can we have an option to disable the safebuffer asap? |
I agree, also for performance purposes Sent from my iPhone On 13/apr/2013, at 09:29, Stephen Reid notifications@github.com wrote: This is preventing me from upgrading to 0.11. Please can we have an option — |
What performance purposes? A SafeBuffer is a String and concatenating two SafeBuffers or a String and SafeBuffer is as cheap as concatenating to normal strings, including all optimizations the interpreter does. |
Probably the cleanest way to do this is to declare Strings as html_safe if the feature should be disabled. I am not a fan of this options, still, though. It points to an application problem that should be fixed. There is a reason why you cannot disable this behaviour in most engines/frameworks that use similar techniques. class String
def html_safe?
true
end
end |
+1 This is crucial for us. |
@tiagomatos Just to gather knowledge: could you please go into detail about your problems? |
# lib/disable_safe_buffer.rb
String.send(:define_method, :html_safe?){ true } We should document this and that's it. |
Shouldn't there be a method to disable Safebuffer for your app the same way you can disable the CSRF protection?
My problem is that I'm using fast_gettext a lot on templates, so I have many strings like
and
Adding <%== or .html_safe everywhere doesn't seem a good idea. This are just static pages without forms, so I think it should be possible to neglect the Safebuffer protection.
For reference, this is related with #1031
IRC chat about this topic: http://irclogger.com/.padrino/2013-04-09#1365558257
The text was updated successfully, but these errors were encountered: