New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

padrino-core/application/rendering/extensions/erubis.rb causes other Sinatra erb templates to be HTML escaped #1256

Closed
postmodern opened this Issue Apr 24, 2013 · 13 comments

Comments

Projects
None yet
7 participants
@postmodern
Contributor

postmodern commented Apr 24, 2013

The way in which padrino registers Padrino::Erubis::Template to be used when the erb rendering method is called, causes responses from other Sinatra applications to be entirely escaped.

class Middleware < Sinatra::Base

  get '/foo'
    erb :foo
  end

end

class App < Padrino::Application
  use Middleware
end

$ curl http://localhost:3000/
&lt;!DOCTYPE html&gt;
&lt;!-- saved from url=(0014)about:internet --&gt;
&lt;html&gt;
&lt;head&gt;
....
@dariocravero

This comment has been minimized.

Show comment
Hide comment
@dariocravero

dariocravero Apr 24, 2013

Contributor

Whomever looks at this, see this discussion

Contributor

dariocravero commented Apr 24, 2013

Whomever looks at this, see this discussion

@postmodern

This comment has been minimized.

Show comment
Hide comment
@postmodern

postmodern May 2, 2013

Contributor

Any progress on this? This is preventing me from using resque-web with padrino.

#!/usr/bin/env rackup
# encoding: utf-8

# This file can be used to start Padrino,
# just execute it from the command line.

require File.expand_path("../config/boot.rb", __FILE__)

require 'resque/server'

run Rack::URLMap.new  '/'       => Padrino.application,
                      '/resque' => Resque::Server.new

$ curl http://localhost:9292/resque/overview/
&lt;!DOCTYPE html&gt;
&lt;html lang=&quot;en&quot;&gt;
&lt;head&gt;
  &lt;meta charset=&quot;utf-8&quot; /&gt;
  &lt;title&gt;Resque.&lt;/title&gt;
  &lt;link href=&quot;/resque/reset.css&quot; media=&quot;screen&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot;&gt;
  &lt;link href=&quot;/resque/style.css&quot; media=&quot;screen&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot;&gt;
  &lt;script src=&quot;/resque/jquery-1.3.2.min.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
  &lt;script src=&quot;/resque/jquery.relatize_date.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
  &lt;script src=&quot;/resque/ranger.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
Contributor

postmodern commented May 2, 2013

Any progress on this? This is preventing me from using resque-web with padrino.

#!/usr/bin/env rackup
# encoding: utf-8

# This file can be used to start Padrino,
# just execute it from the command line.

require File.expand_path("../config/boot.rb", __FILE__)

require 'resque/server'

run Rack::URLMap.new  '/'       => Padrino.application,
                      '/resque' => Resque::Server.new

$ curl http://localhost:9292/resque/overview/
&lt;!DOCTYPE html&gt;
&lt;html lang=&quot;en&quot;&gt;
&lt;head&gt;
  &lt;meta charset=&quot;utf-8&quot; /&gt;
  &lt;title&gt;Resque.&lt;/title&gt;
  &lt;link href=&quot;/resque/reset.css&quot; media=&quot;screen&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot;&gt;
  &lt;link href=&quot;/resque/style.css&quot; media=&quot;screen&quot; rel=&quot;stylesheet&quot; type=&quot;text/css&quot;&gt;
  &lt;script src=&quot;/resque/jquery-1.3.2.min.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
  &lt;script src=&quot;/resque/jquery.relatize_date.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
  &lt;script src=&quot;/resque/ranger.js&quot; type=&quot;text/javascript&quot;&gt;&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
@henry74

This comment has been minimized.

Show comment
Hide comment
@henry74

henry74 May 21, 2013

Having the same issue - looking for a workaround if possible while we wait for fix. Any thoughts?

henry74 commented May 21, 2013

Having the same issue - looking for a workaround if possible while we wait for fix. Any thoughts?

@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Sep 16, 2013

Member

If you add set :erb, :engine_class => Padrino::Erubis::SafeBufferTemplate to Middleware, it works well.

Member

namusyaka commented Sep 16, 2013

If you add set :erb, :engine_class => Padrino::Erubis::SafeBufferTemplate to Middleware, it works well.

@namusyaka namusyaka closed this in e3fe052 Sep 17, 2013

ujifgc added a commit that referenced this issue Sep 17, 2013

@bethesque

This comment has been minimized.

Show comment
Hide comment
@bethesque

bethesque Dec 23, 2014

Padrino::Erubis::SafeBufferTemplate does not seem to exist in padrino-core 0.12.4. Got it working by using pointer from @dariocravero , thanks.

Tilt.prefer Tilt::ERBTemplate, :erb

Semantic versioning anyone? Seems like a breaking change to me!

bethesque commented Dec 23, 2014

Padrino::Erubis::SafeBufferTemplate does not seem to exist in padrino-core 0.12.4. Got it working by using pointer from @dariocravero , thanks.

Tilt.prefer Tilt::ERBTemplate, :erb

Semantic versioning anyone? Seems like a breaking change to me!

@ujifgc

This comment has been minimized.

Show comment
Hide comment
@ujifgc

ujifgc Dec 24, 2014

Member

@bethesque we are very sorry for the inconvenience. Padrino rendering extensions are not public API, you should not use Padrino::Erubis::SafeBufferTemplate, Padrino::Rendering::SafeEruby, other extensions of Padrino::Rendering. The code there is moderately volatile and dependent on versions and behavior of underlying libraries (Tilt, Erubis, ERB, Haml, Slim, Temple).

Member

ujifgc commented Dec 24, 2014

@bethesque we are very sorry for the inconvenience. Padrino rendering extensions are not public API, you should not use Padrino::Erubis::SafeBufferTemplate, Padrino::Rendering::SafeEruby, other extensions of Padrino::Rendering. The code there is moderately volatile and dependent on versions and behavior of underlying libraries (Tilt, Erubis, ERB, Haml, Slim, Temple).

@bethesque

This comment has been minimized.

Show comment
Hide comment
@bethesque

bethesque Dec 27, 2014

Thanks for your reply @ujifgc. What is the recommended way of solving this problem then?

bethesque commented Dec 27, 2014

Thanks for your reply @ujifgc. What is the recommended way of solving this problem then?

@ujifgc

This comment has been minimized.

Show comment
Hide comment
@ujifgc

ujifgc Dec 28, 2014

Member

What problem? Do we need to reopen this exact issue or you have another one that you are solving by applying the trick mentioned in this issue discussion?

Member

ujifgc commented Dec 28, 2014

What problem? Do we need to reopen this exact issue or you have another one that you are solving by applying the trick mentioned in this issue discussion?

@bethesque

This comment has been minimized.

Show comment
Hide comment
@bethesque

bethesque Dec 29, 2014

Using padrino 0.12.4, tilt 1.4.1, sinatra 1.4.5, I believed I had the issue that this bug refers to, and fixed it using the Tilt.prefer setting. On closer inspection, it may just be the same symptom.

      Tilt.prefer Tilt::ERBTemplate, :erb # Stop HTML being escaped

      class Groups < Padrino::Application

        set :root, File.join(File.dirname(__FILE__), '..')
        set :show_exceptions, true

        get ":name" do
          erb :'groups/show.html', {
            locals: {
              ...
            }, {
              layout: 'layouts/main'
            }
        end
      end
&lt;!DOCTYPE html&gt;
&lt;html lang=&quot;en&quot;&gt;
&lt;head&gt;

bethesque commented Dec 29, 2014

Using padrino 0.12.4, tilt 1.4.1, sinatra 1.4.5, I believed I had the issue that this bug refers to, and fixed it using the Tilt.prefer setting. On closer inspection, it may just be the same symptom.

      Tilt.prefer Tilt::ERBTemplate, :erb # Stop HTML being escaped

      class Groups < Padrino::Application

        set :root, File.join(File.dirname(__FILE__), '..')
        set :show_exceptions, true

        get ":name" do
          erb :'groups/show.html', {
            locals: {
              ...
            }, {
              layout: 'layouts/main'
            }
        end
      end
&lt;!DOCTYPE html&gt;
&lt;html lang=&quot;en&quot;&gt;
&lt;head&gt;
@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Dec 31, 2014

Member

@bethesque Couldn't reproduce.
Of course, I'm using tilt1.4.1, sinatra1.4.5 and padrino0.12.4.
Could you provide minimal failing project with a locked Gemfile?

Member

namusyaka commented Dec 31, 2014

@bethesque Couldn't reproduce.
Of course, I'm using tilt1.4.1, sinatra1.4.5 and padrino0.12.4.
Could you provide minimal failing project with a locked Gemfile?

@bethesque

This comment has been minimized.

Show comment
Hide comment
@bethesque

bethesque Jan 2, 2015

I took my project and ripped out everything except the code to reproduce the issue. It turns out that it's the erubis gem being included in the Gemfile that causes the issue.

https://github.com/bethesque/padrino-html-erb-escape

Unfortunately, the erubis gem is a dependency of a dependency of a dependency, so I can't rip it out.

bethesque commented Jan 2, 2015

I took my project and ripped out everything except the code to reproduce the issue. It turns out that it's the erubis gem being included in the Gemfile that causes the issue.

https://github.com/bethesque/padrino-html-erb-escape

Unfortunately, the erubis gem is a dependency of a dependency of a dependency, so I can't rip it out.

@namusyaka

This comment has been minimized.

Show comment
Hide comment
@namusyaka

namusyaka Jan 3, 2015

Member

Thanks for providing that.
This can be resolved by adding register Padrino::Rendering or register Padrino::Helpers.
In addition, the following patch can also resolve your problem.

diff --git a/Gemfile b/Gemfile
index 655d25e..a052147 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'

 gem 'rack'
-gem 'padrino', '~>0.12.4'
+gem 'padrino-core', '~>0.12.4'
 gem 'rack-test'
 gem 'rake', '~>10.0'
 gem 'rspec', '~>3.0'
diff --git a/lib/app.rb b/lib/app.rb
index 771f7c2..698165a 100644
--- a/lib/app.rb
+++ b/lib/app.rb
@@ -1,4 +1,4 @@
-require 'padrino'
+require 'padrino-core'

 Padrino::Logger::Config[:development] = { :log_level => :warn }

Your project bundled padrino-helpers, so the tilt prefering code was required automatically.
https://github.com/padrino/padrino-framework/blob/master/padrino-helpers/lib/padrino/rendering/erubis_template.rb#L62

Member

namusyaka commented Jan 3, 2015

Thanks for providing that.
This can be resolved by adding register Padrino::Rendering or register Padrino::Helpers.
In addition, the following patch can also resolve your problem.

diff --git a/Gemfile b/Gemfile
index 655d25e..a052147 100644
--- a/Gemfile
+++ b/Gemfile
@@ -1,7 +1,7 @@
 source 'https://rubygems.org'

 gem 'rack'
-gem 'padrino', '~>0.12.4'
+gem 'padrino-core', '~>0.12.4'
 gem 'rack-test'
 gem 'rake', '~>10.0'
 gem 'rspec', '~>3.0'
diff --git a/lib/app.rb b/lib/app.rb
index 771f7c2..698165a 100644
--- a/lib/app.rb
+++ b/lib/app.rb
@@ -1,4 +1,4 @@
-require 'padrino'
+require 'padrino-core'

 Padrino::Logger::Config[:development] = { :log_level => :warn }

Your project bundled padrino-helpers, so the tilt prefering code was required automatically.
https://github.com/padrino/padrino-framework/blob/master/padrino-helpers/lib/padrino/rendering/erubis_template.rb#L62

@bethesque

This comment has been minimized.

Show comment
Hide comment
@bethesque

bethesque Jan 3, 2015

Right, I see. Thanks very much for your help @namusyaka.

bethesque commented Jan 3, 2015

Right, I see. Thanks very much for your help @namusyaka.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment