escape options for the stylesheet_link_tag method #3124

Merged
merged 1 commit into from Sep 25, 2011

Projects

None yet

2 participants

@avakhov
avakhov commented Sep 25, 2011

Hello!

I noticed a difference between 2 very similar method implementations:

https://github.com/rails/rails/blob/master/actionpack/lib/action_view/helpers/asset_tag_helpers/javascript_tag_helpers.rb#L19

https://github.com/rails/rails/blob/master/actionpack/lib/action_view/helpers/asset_tag_helpers/stylesheet_tag_helpers.rb#L20

The commits 871b87a, 8db51ee created this difference. But at 2007 html safe buffers didn't exist at all. Stylesheet link implementation with manual escaping of path traveled from one file to another. Now it's dangerous, because it's possible to pass unsafe options as in the test in my commit.

@josevalim josevalim merged commit 933ba0c into rails:master Sep 25, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment