Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Handle more unsafe String methods #33990

Merged
merged 3 commits into from Sep 28, 2018
Merged

Handle more unsafe String methods #33990

merged 3 commits into from Sep 28, 2018

Conversation

@jaynetics
Copy link
Contributor

@jaynetics jaynetics commented Sep 26, 2018

Summary

  • adds recently introduced String mutation methods #delete_prefix(!), #delete_suffix(!), and #unicode_normalize(!) to UNSAFE_STRING_METHODS:
# before
string = '<!--evil-->'.html_safe
string.delete_prefix!('<!--')
string.html_safe? # => true

# after
string = '<!--evil-->'.html_safe
string.delete_prefix!('<!--')
string.html_safe? # => false
  • treats String combination methods #[]=, #insert and #replace the same way #prepend and #concat are already treated:
# before
string = 'foo'.html_safe
string[0] = '<b>'
string # => "<b>oo"
string.html_safe? # => true

# after
string = 'foo'.html_safe
string[0] = '<b>'
string # => "&lt;b&gt;oo"
string.html_safe? # => true
  • greatly improves test coverage of unsafe String methods

  • replaces the obscure unsafe_method.respond_to?(unsafe_method) with the faster String.method_defined?(unsafe_method).

@rails-bot
Copy link

@rails-bot rails-bot commented Sep 26, 2018

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @sgrif (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

This repository is being automatically checked for code quality issues using Code Climate. You can see results for this analysis in the PR status below. Newly introduced issues should be fixed before a Pull Request is considered ready to review.

Please see the contribution instructions for more information.

@@ -222,7 +235,7 @@ def encode_with(coder)
end

UNSAFE_STRING_METHODS.each do |unsafe_method|
if unsafe_method.respond_to?(unsafe_method)
if String.method_defined?(unsafe_method)
Copy link
Member

@rafaelfranca rafaelfranca Sep 27, 2018

Speed is not a problem here. This loop only run once, UNSAFE_STRING_METHODS times, so I prefer to keep the respond_to?

Copy link
Contributor Author

@jaynetics jaynetics Sep 27, 2018

@rafaelfranca OK, changed back.

@rafaelfranca rafaelfranca merged commit 47f2686 into rails:master Sep 28, 2018
2 checks passed
@rafaelfranca
Copy link
Member

@rafaelfranca rafaelfranca commented Sep 28, 2018

Thanks!

SamSaffron added a commit to MiniProfiler/rack-mini-profiler that referenced this issue Feb 5, 2019
ActiveSupport SafeBuffer now html escapes on insert in Rails 6. This will
work around the issue by marking our injected script as safe.

See also: rails/rails#33990
tricknotes added a commit to tricknotes/bullet that referenced this issue Nov 2, 2020
In Rails 6, the spec of `ActiveSupport::SafeBuffer#insert` has been changed.
Previously, it behaves like just String, but now `ActiveSupport::SafeBuffer` exactlly.
See for details: rails/rails#33990
tricknotes added a commit to tricknotes/bullet that referenced this issue Nov 2, 2020
In Rails 6, the spec of `ActiveSupport::SafeBuffer#insert` has been changed.
Previously, it behaves like just String, but now `ActiveSupport::SafeBuffer` exactly.
See for details: rails/rails#33990
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants