You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just upgraded an app from 3.0.16 to 3.0.18; have not yet gotten the chance to test for this behavior against 3.1.8 and 3.2.8. But the error messages getting automatically built by ActiveRecord are getting mangled by the better html-escaping. I don't think they're getting escaped any more than they were before, but a number of the auto-generated messages include apostrophes, which are now getting escaped. e.g.
validates_presence_of :name
produces an error that displays like:
Name can't be blank
Thoughts? I can mark the errors as #html_safe before displaying them. But I don't remember clearly if any of the other auto-generated error messages include the user input in their strings, which would make this approach insecure. And obviously, anytime a developer uses the custom error message options, they may stick user input into the message.
The text was updated successfully, but these errors were encountered:
Just upgraded an app from 3.0.16 to 3.0.18; have not yet gotten the chance to test for this behavior against 3.1.8 and 3.2.8. But the error messages getting automatically built by ActiveRecord are getting mangled by the better html-escaping. I don't think they're getting escaped any more than they were before, but a number of the auto-generated messages include apostrophes, which are now getting escaped. e.g.
validates_presence_of :name
produces an error that displays like:
Name can't be blank
Thoughts? I can mark the errors as #html_safe before displaying them. But I don't remember clearly if any of the other auto-generated error messages include the user input in their strings, which would make this approach insecure. And obviously, anytime a developer uses the custom error message options, they may stick user input into the message.
The text was updated successfully, but these errors were encountered: