New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
warning: regexp match /.../n against to UTF-8 string #3927
Comments
If we use n option for regex, I think that a string should be binary. |
relate to 0e17cf1 |
I fixed it. but It seems that my fix is not so cool. 1: silence_warning What do you think? /cc @josevalim |
I don't now, but if there is a problem with security the first option is better. But There is any problem with silence the warning? |
I tested a performance for each fix. # encoding: utf-8
require 'active_support/core_ext/string/output_safety'
require 'benchmark'
include ERB::Util
def html_escape1(s)
s = s.to_s
if s.html_safe?
s
else
s = s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
end
def html_escape2(s)
silence_warnings {
s = s.to_s
if s.html_safe?
s
else
s = s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
end
}
end
def runner(title, method, string)
GC.start
puts title
puts Benchmark.measure {
10000.times do
send(method, string)
end
}
end
string = '1&2"<3>あ' * 10
string.freeze
puts Benchmark::CAPTION
runner "original", :html_escape1, string
runner "silence warning", :html_escape2, string
runner "my fix", :html_escape , string II got the following test results.
It seems that |
I send PR |
never mind, that doesn't actually match invalid utf-8 bytes :( |
interesting ... so /&|"|>|</ actually does work in 1.9.2 (no XSS), and it doesn't issue any warnings. it does not work in 1.8.7, but the current regexp does (and doesn't issue warnings) so an alternative solution would be to use different regexes for 1.8.x and 1.9.x |
+1 for different solutions for 1.8 and 1.9.x. Could someone please submit a pull request? Tks. |
Aha! Thanks for looking into this :) |
I have just run across this issue in Rails 3.2.0 while using jruby in 1.9 mode (Doesn't occur in 1.8 mode) Do you guys know if this is something that should be fixed in rails or jruby? so I know where to raise a ticket. |
Will this fix be ported back to rails 3.1? I'm hitting the same issue there with ruby 1.9. |
Same here. |
Yeah I get this when upgrading to Rails 3.1.4 from 3.1.3 with Ruby 1.9.3: |
+1 for backport to 3.1. |
Have upgraded to ActiveSupport 3.2.3 and this error is still occurring for me at least:
|
@rurounijones Are you using ruby 1.8 mode (or 1.9 mode) ? |
Ah sorry, as in my previous comment, 1.8 mode works without issue, 1.9 mode causes this issue to appear. |
You used 1.9 mode, but according to your stacktrace 1.8 mode was executed. I tested it. It's strangeness... cruby 1.9.3
jruby 1.6.7 (1.9 mode)
FYI: jruby-1.7.0.preview1
jruby's problem ?? cc/ @jeremy |
This is also major issue for master, because master don't support 1.8 mode code ;-) |
Looks like jruby doesn't match cruby there! See the |
I forgot to mention that the JRuby ticket for this issue can be found here: https://jira.codehaus.org/browse/JRUBY-6723 |
Just to clarify I run mri 1.9.3 so this ticket is not jruby specific. On 15.8.2012, at 7.19, Jeffrey Jones notifications@github.com wrote:
|
I thought I was responding to #7323. Sorry about the noise. On 15.8.2012, at 7.19, Jeffrey Jones notifications@github.com wrote:
|
The change from: to: in Rails 3.0.17 introduced the same warning problem when using ruby 1.9 which is solved at the latest 3-1 stable. Please backport the fix to 3.0 |
Bugfixes do not get backported to anything but 3.2. 3.0 and 3.1 are security fix only nowadays. |
@steveklabnik your argument is totally valid, if a point release doesn't introduce a problem. If a point release does introduce a problem (i.e. regression), your argument is wrong. Regression introduced in point releases should always be fixed. |
I don't know if you guys saw but I fixed this issue in the 3-0-stable branch |
Ahh, I see. Many thanks! |
I'm getting this warning in Rails 4.2.6 with MRI 2.3.0
|
I updated the rails to 3.1.3 and I got the follow warning:
bundler/gems/rails-d06c3b3cd22c/activesupport/lib/active_support/core_ext/string/output_safety.rb:23: warning: regexp match /.../n against to UTF-8 string
To not show this warning I changed the output_safety.rb line 23
from
s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }.html_safe
to
s.gsub(/[&"><]/) { |special| HTML_ESCAPE[special] }.html_safe
removing the ''n'' option of the Regex.
This is a problem with output_safety? Is there another way to fix this warning?
The text was updated successfully, but these errors were encountered: