New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Maintain html_safe? on sliced HTML safe strings #33808
Maintain html_safe? on sliced HTML safe strings #33808
Conversation
… original buffer was safe. Co-Authored-By: no-itsbackpack <no-itsbackpack@github.com>
Co-authored-by: no-itsbackpack <no-itsbackpack@github.com>
Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @pixeltrix (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. This repository is being automatically checked for code quality issues using Code Climate. You can see results for this analysis in the PR status below. Newly introduced issues should be fixed before a Pull Request is considered ready to review. Please see the contribution instructions for more information. |
Thanks! Can you add a CHANGELOG entry? |
Co-authored-by: no-itsbackpack <no-itsbackpack@github.com>
The railties failures seem unrelated, so I'll merge this. |
I thought that I already did |
Maintain html_safe? on sliced HTML safe strings rails/rails#33808
I'm coming way late to the party but how is this not extremely dangerous? |
|
@SampsonCrowley I think the assumption here is that the string being operated on is marked "html safe" when it has been html-sanitized (for example, by In that case, any comments or dangerous tags (like As a starting point, here's a script to generate two different "safe" HTML strings: #! /usr/bin/env ruby
require "action_view"
require "active_support"
class Sanitizer
include ActionView::Helpers::SanitizeHelper
end
class Escaper
include ERB::Util
def escape(string)
html_escape(string)
end
end
original = %{<div><script>alert("xss")</script></div>}
# => "<div><script>alert(\"xss\")</script></div>"
safe = Sanitizer.new.sanitize(original)
# => "<div>alert(\"xss\")</div>"
safe.html_safe? # => true
safe = Escaper.new.escape(original)
# => "<div><script>alert("xss")</script></div>"
safe.html_safe? # => true |
@flavorjones sorry my original reply was missing the part marking the string as html_safe Taking the original original comment as an example: In the behavior before this PR: But if you were to then call slice on it, Now
So I don't understand how it's is safe to assume by default that a string that has been sliced from an html_safe string is still html safe just because it was html safe in its original full string Or maybe I'm just misunderstanding the use case |
Summary
This change allows for an HTML safe string to remain HTML safe even when accessed via a range.
Before
After
cc @tenderlove @no-itsbackpack