New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

form helpers do not escape quotes et c. #381

Closed
pirj opened this Issue Dec 11, 2010 · 8 comments

Comments

Projects
None yet
4 participants
@pirj
Contributor

pirj commented Dec 11, 2010

-form_for category, url(:company, :update, :id => company.id) do |f|
  =f.text_field :name, :class => :text_field

input renders as:

<input class="text_field" value=""Example" Ltd." id="manufacturer_name" name="manufacturer[name]" type="text" />

I think TagHelpers.tag should look like:
...
content = content.map {|c| escape_html(c)}.join("\n") if content.respond_to?(:join)

and escape should at least escape ", <, >

as in this case it's not quite clear how to use escape_html helper with text_field helper

@DAddYE

This comment has been minimized.

Show comment
Hide comment
@DAddYE

DAddYE Dec 11, 2010

Member

I didn't understand well what do you mean.

Member

DAddYE commented Dec 11, 2010

I didn't understand well what do you mean.

@pirj

This comment has been minimized.

Show comment
Hide comment
@pirj

pirj Dec 12, 2010

Contributor
value=""Example" Ltd."

should be
value=""Example" Ltd."

Contributor

pirj commented Dec 12, 2010

value=""Example" Ltd."

should be
value=""Example" Ltd."

@nesquena

This comment has been minimized.

Show comment
Hide comment
@nesquena

nesquena Dec 12, 2010

Member

Was this addressed? or why was this closed?

Member

nesquena commented Dec 12, 2010

Was this addressed? or why was this closed?

@pirj

This comment has been minimized.

Show comment
Hide comment
@pirj

pirj Dec 13, 2010

Contributor

looks like github messes up escaping twice, fixed comment above

Contributor

pirj commented Dec 13, 2010

looks like github messes up escaping twice, fixed comment above

@igorsantos07

This comment has been minimized.

Show comment
Hide comment
@igorsantos07

igorsantos07 Aug 25, 2011

Sorry, but this issue is real and present.

The "value" attribute of fields generated by form helper isn't escaped.
It should render value="\"Example\" Ltd." instead of value=""Example" Ltd."

igorsantos07 commented Aug 25, 2011

Sorry, but this issue is real and present.

The "value" attribute of fields generated by form helper isn't escaped.
It should render value="\"Example\" Ltd." instead of value=""Example" Ltd."

@nesquena nesquena reopened this Aug 25, 2011

@nesquena

This comment has been minimized.

Show comment
Hide comment
@nesquena

nesquena Aug 25, 2011

Member

Great thanks for bringing it up, will try and get a fix in soon

Member

nesquena commented Aug 25, 2011

Great thanks for bringing it up, will try and get a fix in soon

@ghost ghost assigned nesquena Aug 26, 2011

@DAddYE DAddYE closed this in 9e25caa Aug 30, 2011

@DAddYE

This comment has been minimized.

Show comment
Hide comment
@DAddYE

DAddYE Aug 30, 2011

Member

@igorsantos07 can you confirm me that latest fix works for you?

Member

DAddYE commented Aug 30, 2011

@igorsantos07 can you confirm me that latest fix works for you?

@igorsantos07

This comment has been minimized.

Show comment
Hide comment
@igorsantos07

igorsantos07 Aug 30, 2011

working fine, @DAddYE :D
ty (:

igorsantos07 commented Aug 30, 2011

working fine, @DAddYE :D
ty (:

DAddYE added a commit that referenced this issue Aug 30, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment