-
Notifications
You must be signed in to change notification settings - Fork 21.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ActiveSupport::SafeBuffer#prepend inconsistency #14529
Conversation
assert_equal @string, "otherhello" | ||
end | ||
|
||
test "Prepending unsafe unto safe yields escaped safe" do |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
unto should be onto?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ming-kernel Yep, you're right. Thanks!
test "Prepending unsafe onto safe yields escaped safe" do | ||
other = "other".html_safe | ||
other.prepend "<foo>" | ||
assert other.html_safe? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think prepend
should even mark an string html safe. We are changing the behavior and also we may opening a XSS vector.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rafaelfranca this is how #concat
currently works. I guess it'd make sense to use the same behavior for #prepend
What's the status of this? Are we waiting for someone to make a decision or an alternative implementation to show up? |
Sorry, many issues to handle. It is missing CHANGELOG |
Ah, alright, will add changelog then. |
Done. |
We should not remove |
ok |
Make `#prepend` method modify instance in-place and return self instead of just returning modified value. That is exactly what `#prepend!` method was doing previously, so it's deprecated from now on.
Done. |
Thank you. I'll merge it |
Do we want def concat(value)
super(maybe_escape(value))
end
def prepend(value)
super(maybe_escape(value))
end
private
def maybe_escape(value)
if html_safe? && !value.html_safe?
ERB::Util.h(value)
else
value
end
end wdyt? |
@matthewd that'll produce two separate methods with exact same implementation, which might be even more confusing than a |
Hmm, I just realised there's actually already As for visually matching methods, I personally don't think that's particularly confusing -- especially when the very first word of the method body is 'super'... but I'm just thinking out loud. It's up to @rafaelfranca which he prefers. And the one that someone cared enough to make, sure has a certain argument over my bikeshedding. 💙 |
I've added a commit to make use of this helper effectively DRYing the code. Thanks, good catch. |
ActiveSupport::SafeBuffer#prepend inconsistency
@@ -4,6 +4,7 @@ | |||
require 'inflector_test_cases' | |||
require 'constantize_test_cases' | |||
|
|||
require 'active_support/deprecation/reporting' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't the require be on the actual file rather than the test?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍. Fixing
Native ruby
String#prepend
modifies instance in-place, whileActiveSupport::SafeBuffer
returns modified version, but the initial object remains unchanged.