Improve AV changelog with regards to default RAW handler #24929
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
r? @eileencodes (@rails-bot has picked a reviewer for you, use r? to override) |
| handler instead of ERB. The raw handler does not flag the rendered text as html safe, | ||
| so if your application rendered plain JS or HTML files before, you'll have to replace: | ||
|
|
||
| <%= render '/common/analytics.js' %> |
There was a problem hiding this comment.
<%= render '/common/analytics.js' %>, needs code quotes, same below.
It highlights which kind of incompatibilities this could lead to when rendering plain JS or HTML partials.
|
I've updated the patch, @vipulnsward. Thanks |
|
Thank you so much for making this clear. About making I think this needs better discussion with the security team. I'll open an issue to discuss. |
|
#24949 open |
rafaelfranca
pushed a commit
to rafaelfranca/omg-rails
that referenced
this pull request
May 10, 2016
Improve AV changelog with regards to default RAW handler
rafaelfranca
pushed a commit
that referenced
this pull request
May 10, 2016
Improve AV changelog with regards to default RAW handler
|
Thanks, I'll add some comments there |
eileencodes
added a commit
that referenced
this pull request
Jun 21, 2016
In PR #24929 the changelog was updated to make note that while the new template handler was changed to raw this changed the behavior when outputting plain html or js files. Previously ERB would output the files unescaped. Changing the default handler to RAW meant that these same files would be rendered as escaped rather than as js or html. Because of this change in behavior and after the discussion #24949 in we decided to change the behavior of the Raw handler to output html_safe strings by default. Now files rendered with the default handler (raw) render the file unescaped.
eileencodes
added a commit
that referenced
this pull request
Jun 21, 2016
In PR #24929 the changelog was updated to make note that while the new template handler was changed to raw this changed the behavior when outputting plain html or js files. Previously ERB would output the files unescaped. Changing the default handler to RAW meant that these same files would be rendered as escaped rather than as js or html. Because of this change in behavior and after the discussion #24949 in we decided to change the behavior of the Raw handler to output html_safe strings by default. Now files rendered with the default handler (raw) render the file unescaped.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
It highlights which kind of incompatibilities this could lead to when rendering plain JS or HTML partials.
cc/ @rafaelfranca