ActiveSupport::SafeBuffer#prepend inconsistency#14529
Conversation
There was a problem hiding this comment.
I don't think prepend should even mark an string html safe. We are changing the behavior and also we may opening a XSS vector.
There was a problem hiding this comment.
@rafaelfranca this is how #concat currently works. I guess it'd make sense to use the same behavior for #prepend
|
What's the status of this? Are we waiting for someone to make a decision or an alternative implementation to show up? |
|
Sorry, many issues to handle. It is missing CHANGELOG |
|
Ah, alright, will add changelog then. |
|
Done. |
|
We should not remove |
|
ok |
Make `#prepend` method modify instance in-place and return self instead of just returning modified value. That is exactly what `#prepend!` method was doing previously, so it's deprecated from now on.
|
Done. |
|
Thank you. I'll merge it |
|
Do we want def concat(value)
super(maybe_escape(value))
end
def prepend(value)
super(maybe_escape(value))
end
private
def maybe_escape(value)
if html_safe? && !value.html_safe?
ERB::Util.h(value)
else
value
end
endwdyt? |
|
@matthewd that'll produce two separate methods with exact same implementation, which might be even more confusing than a |
|
Hmm, I just realised there's actually already As for visually matching methods, I personally don't think that's particularly confusing -- especially when the very first word of the method body is 'super'... but I'm just thinking out loud. It's up to @rafaelfranca which he prefers. And the one that someone cared enough to make, sure has a certain argument over my bikeshedding. 💙 |
|
I've added a commit to make use of this helper effectively DRYing the code. Thanks, good catch. |
ActiveSupport::SafeBuffer#prepend inconsistency
There was a problem hiding this comment.
Shouldn't the require be on the actual file rather than the test?
6 participants
Native ruby
String#prependmodifies instance in-place, whileActiveSupport::SafeBufferreturns modified version, but the initial object remains unchanged.