-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve AV changelog with regards to default RAW handler #24929
Conversation
r? @eileencodes (@rails-bot has picked a reviewer for you, use r? to override) |
handler instead of ERB. The raw handler does not flag the rendered text as html safe, | ||
so if your application rendered plain JS or HTML files before, you'll have to replace: | ||
|
||
<%= render '/common/analytics.js' %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<%= render '/common/analytics.js' %>
, needs code quotes, same below.
It highlights which kind of incompatibilities this could lead to when rendering plain JS or HTML partials.
I've updated the patch, @vipulnsward. Thanks |
Thank you so much for making this clear. About making I think this needs better discussion with the security team. I'll open an issue to discuss. |
#24949 open |
Improve AV changelog with regards to default RAW handler
Improve AV changelog with regards to default RAW handler
Thanks, I'll add some comments there |
In PR #24929 the changelog was updated to make note that while the new template handler was changed to raw this changed the behavior when outputting plain html or js files. Previously ERB would output the files unescaped. Changing the default handler to RAW meant that these same files would be rendered as escaped rather than as js or html. Because of this change in behavior and after the discussion #24949 in we decided to change the behavior of the Raw handler to output html_safe strings by default. Now files rendered with the default handler (raw) render the file unescaped.
In PR #24929 the changelog was updated to make note that while the new template handler was changed to raw this changed the behavior when outputting plain html or js files. Previously ERB would output the files unescaped. Changing the default handler to RAW meant that these same files would be rendered as escaped rather than as js or html. Because of this change in behavior and after the discussion #24949 in we decided to change the behavior of the Raw handler to output html_safe strings by default. Now files rendered with the default handler (raw) render the file unescaped.
It highlights which kind of incompatibilities this could lead to when rendering plain JS or HTML partials.
cc/ @rafaelfranca