-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use ActiveSupport::SafeBuffer when flushing content_for #20046
Conversation
@@ -15,7 +15,7 @@ def get(key) | |||
|
|||
# Called by each renderer object to set the layout contents. | |||
def set(key, value) | |||
@content[key] = value | |||
@content[key] = ActiveSupport::SafeBuffer.new(value) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I admit to not knowing much about this code, so forgive me if the following questions are missing something...
It seems from the comment associated with this method that it might impact a lot more than content_for
. Would the following method, append
, which says it's called by content_for
be more appropriate?
Also, would this make all content provided to content_for
html safe? How do we know this is safe?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I believe the intention would be to make all values in the content
hash be instances of ActiveSupport::SafeBuffer, as implied by the constructor, which initializes all values of the content
hash to be ActiveSupport::SafeBuffer instances by default:
def initialize
@content = Hash.new { |h,k| h[k] = ActiveSupport::SafeBuffer.new }
end
Given this, it seems to me that the append
method expects a new value to be appended to be an existing ActiveSupport::SafeBuffer object. A String object (not html_safe) appended to an ActiveSupport::SafeBuffer object will still result in an ActiveSupport::SafeBuffer object.
The set
method as it currently stands is inconsistent with both the constructor and the append
method. I believe this to be unintended, as it could wipe out the initial ActiveSupport::SafeBuffer object created in the constructor with a String.
Is there any other feedback for this? Not trying to be pushy (I understand the team is busy), but just thought it'd be a fairly straightforward patch. |
Previously, when content_for is flushed, the content was replaced directly by a new value in ActionView::OutputFlow#set. The problem is this new value passed to the method may not be an instance of ActiveSupport::SafeBuffer. This change forces the value to be set to a new instance of ActiveSupport::SafeBuffer.
Rebased. Btw can the ActiveSupport label be added at least? Thanks. :) |
Can you please rebase? |
Use ActiveSupport::SafeBuffer when flushing content_for
Backported in dd750a3 |
Use ActiveSupport::SafeBuffer when flushing content_for
This addresses issue #19890.
Previously, when content_for is flushed, the content
was replaced directly by a new value in
ActionView::OutputFlow#set. The problem is this new
value passed to the method may not be an instance of
ActiveSupport::SafeBuffer.
This change forces the value to be set to a new
instance of ActiveSupport::SafeBuffer.