Browse files

Mark all raw HTML being concatted as HTML-safe.

Signed-off-by: Jeremy Kemper <jeremy@bitsweat.net>
  • Loading branch information...
1 parent 55e88ee commit 48fbe7b0d8fcecce200ea35f46a8716077e13aea @nex3 nex3 committed with jeremy May 23, 2010
View
2 actionpack/lib/action_view/helpers/form_helper.rb
@@ -280,7 +280,7 @@ def form_for(record_or_name_or_array, *args, &proc)
concat(form_tag(options.delete(:url) || {}, options.delete(:html) || {}))
fields_for(object_name, *(args << options), &proc)
- concat('</form>')
+ concat('</form>'.html_safe)
end
def apply_form_for_options!(object_or_array, options) #:nodoc:
View
4 actionpack/lib/action_view/helpers/form_tag_helper.rb
@@ -435,7 +435,7 @@ def field_set_tag(legend = nil, options = nil, &block)
concat(tag(:fieldset, options, true))
concat(content_tag(:legend, legend)) unless legend.blank?
concat(content)
- concat("</fieldset>")
+ concat("</fieldset>".html_safe)
end
private
@@ -469,7 +469,7 @@ def form_tag_in_block(html_options, &block)
content = capture(&block)
concat(form_tag_html(html_options))
concat(content)
- concat("</form>")
+ concat("</form>".html_safe)
end
def token_tag
View
2 actionpack/lib/action_view/helpers/prototype_helper.rb
@@ -393,7 +393,7 @@ def remote_form_for(record_or_name_or_array, *args, &proc)
concat(form_remote_tag(options))
fields_for(object_name, *(args << options), &proc)
- concat('</form>')
+ concat('</form>'.html_safe)
end
alias_method :form_remote_for, :remote_form_for

5 comments on commit 48fbe7b

@alexyoung

Now the example in the documentation doesn't work:

  <% form_tag '/posts' do -%>
    <div><%= submit_tag 'Save' %></div>
  <% end -%>

The divs will get escaped.

@nex3

That's not because of this commit, although it's possible that there are more things that need to be marked as HTML safe.

@alexyoung

I subsequently realised I got mixed up there as I followed through the changes in 2.3.7. I'm still trying to figure out why I'm getting escaped HTML though

@lardawge

@alex
Any fix? I have the same problem.

@alexyoung

All my tests pass OK with 2.3.6. Someone on the blog post about 2.3.7 said you need to use the rails_xss plugin (even if you don't want it): http://weblog.rubyonrails.org/2010/5/24/ruby-on-rails-2-3-7-released

Please sign in to comment.