Skip to content

add 'clear' and 'byteslice' as an unsafe string methods #12054

Closed
wants to merge 1 commit into from

6 participants

@rajcybage

clear and byteslice are also unsafe string methods

@gardenofwine gardenofwine commented on the diff Aug 30, 2013
...t/lib/active_support/core_ext/string/output_safety.rb
@@ -84,7 +84,7 @@ module ActiveSupport #:nodoc:
class SafeBuffer < String
UNSAFE_STRING_METHODS = %w(
capitalize chomp chop delete downcase gsub lstrip next reverse rstrip
- slice squeeze strip sub succ swapcase tr tr_s upcase prepend
+ slice squeeze strip sub succ swapcase tr tr_s upcase prepend clear byteslice
@gardenofwine
gardenofwine added a note Aug 30, 2013

Could you elaborate on why clear and byteslice should change the html_safe? status of a string? specifically, can you provide examples of an html_safe string that can become non safe because of the usage of these two methods?

@rajcybage
rajcybage added a note Aug 30, 2013

irb(main):046:0> s="asdasd&&&<>".html_safe
=> "asdasd&&&<>"
irb(main):047:0> s.html_safe?
=> true
irb(main):048:0> s.byteslice(8).html_safe?
=> nil
irb(main):053:0> s.byteslice(8..10)
=> "&<>"
irb(main):054:0> s.byteslice(8..10).html_safe?
=> nil

@rajcybage
rajcybage added a note Aug 30, 2013

irb(main):060:0> s="asasasa".clear.html_safe?
=> false

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@carlosantoniodasilva
Ruby on Rails member

/cc @fxn can you take a look please?

@JonRowe
JonRowe commented Feb 28, 2014

Did this ever get a second look? /cc @fxn @carlosantoniodasilva

@arthurnn
Ruby on Rails member

I guess before we approve this or not, we need regression tests to illustrate the behaviour that should not be allowed anymore.

@rafaelfranca
Ruby on Rails member

For what I got byteslice method already return an unsafe string when called. So there is no reason to add it to this array.

clear doesn't not change the status but since it remove all characters there is no reason to make it unsafe.

Thank you for the pull request.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.