Skip to content

3.0.10 - simple_format with :sanitize => false produces html unsafe string #2812

jonleighton opened this Issue Sep 2, 2011 · 2 comments

3 participants

Ruby on Rails member
ruby-1.8.7-p352 :001 > a =
 => #<ActionView::Base:0x7f61c08b6c70 @helpers=#<Module:0x7f61c08b39f8>, @output_buffer=nil, @lookup_context=#<ActionView::LookupContext:0x7f61c06a2650 @skip_default_locale=false, @details={:locale=>[:en, :en], :handlers=>[:rjs, :rhtml, :rxml, :builder, :haml, :erb], :formats=>[:html, :text, :js, :css, :ics, :csv, :xml, :rss, :atom, :yaml, :multipart_form, :url_encoded_form, :json]}, @frozen_formats=false, @view_paths=[], @details_key=nil>, @_virtual_path=nil, @_controller=nil, @controller=nil, @_content_for={}, @_config=#<OrderedHash {}>, @assigns={}> 
ruby-1.8.7-p352 :004 > a.simple_format("foo", {}, :sanitize => false).html_safe?
 => false 
ruby-1.8.7-p352 :005 > a.simple_format("foo", {}).html_safe?
 => true 

Appears to be fixed in 3.1 so need to work out what fixed it and backport.

@jonleighton jonleighton was assigned Sep 2, 2011

I think that this behavior is correct. Test test_simple_format_should_not_be_html_safe_when_sanitize_option_is_false shows this.

So I think the problem is in 3-1-stable, and that it's behavior in this case is wrong. The test I just mentioned was committed to 3-0-stable, but does not appear in 3-1-stable. It appears that the change in simple_format behavior you allude to in 3.1 was caused in an attempt at fixing Issue #1745.

I've made a change for simple_format in 3-1-stable that I think will address the problem raised in Issue #1745, while still giving the correct behavior when :sanitize => false, and added some tests.

I am quite new to rails, so please double check to see if what I've found and done make any sense.

@rafaelfranca rafaelfranca was assigned Apr 30, 2012
Ruby on Rails member

hey @jonleighton, since Rails 3-0-stable is not supported anymore is this still an issue? If so I'll work on that.


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.