Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Rendering using Safebuffer #1031
Sadly, it contains 2 extensions to erubis and HAML.
The erubis extension is well within the bounds of the libraries API on the erubis side of things and is similar to the way Rails handles these things. Sadly, it requires a tiny hack to work with tilt 1.3.3 and its twisted template compilation - considering that Tilt hasn't been released since 2011, I see no quick fix there.
The HAML extension is necessary, as the modifications handling SafeBuffer shipped with HAML mainline can only be loaded when ActionView is present. I will lobby with the HAML team to make them available standalone, they are a simple copy.
Slim works out of the box, as "=" is it escapes by default anyways.
Both need a set of default options, which is now supplied.
All helpers are ported and the tests run. The general rule is: structural helpers (content_for, form_for, etc.) and rendering helpers always assume their content to be escaped while code generating helpers (content_tag, tag) assume that all values need to be escaped.
I took the liberty of hiding an easteregg for @postmodern in the core test suite.
See the commit messages for details.
By the way, for anyone interested in details of how it works and why its fast: http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/
@hooopo Yes, thats possible. The problem is that this interacts badly with helpers if you don't take care:
<%= link_to("<script>...</script>"...) %>
will fully escape the link, while
<%== link_to("<script>...</script>"...) %>
will let the script tag through in the current state. SafeBuffer cleanly handles all these cases by providing a very nice way to track what strings are safe and which not.
Can we decide on milestone for this? API-wise, this is not a big breaking change, but for users that don't sanitize their input into helpers, it is. Then again, users that have problems with this probably should fix their code and quick.
As this is security related, I'd prefer the next release.
What else is needed for 0.11? What can I help with?