Skip to content

Handle more unsafe String methods #33990

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rafaelfranca merged 3 commits into from
Sep 28, 2018
Merged

Handle more unsafe String methods #33990

rafaelfranca merged 3 commits into from
Sep 28, 2018

Conversation

@jaynetics
Copy link
Contributor

@jaynetics jaynetics commented Sep 26, 2018
edited
Loading

Summary

  • adds recently introduced String mutation methods #delete_prefix(!), #delete_suffix(!), and #unicode_normalize(!) to UNSAFE_STRING_METHODS:
# before
string = '<!--evil-->'.html_safe
string.delete_prefix!('<!--')
string.html_safe? # => true

# after
string = '<!--evil-->'.html_safe
string.delete_prefix!('<!--')
string.html_safe? # => false
  • treats String combination methods #[]=, #insert and #replace the same way #prepend and #concat are already treated:
# before
string = 'foo'.html_safe
string[0] = '<b>'
string # => "<b>oo"
string.html_safe? # => true

# after
string = 'foo'.html_safe
string[0] = '<b>'
string # => "&lt;b&gt;oo"
string.html_safe? # => true

  • greatly improves test coverage of unsafe String methods

  • replaces the obscure unsafe_method.respond_to?(unsafe_method) with the faster String.method_defined?(unsafe_method).

@rails-bot
Copy link

rails-bot commented Sep 26, 2018

Thanks for the pull request, and welcome! The Rails team is excited to review your changes, and you should hear from @sgrif (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

This repository is being automatically checked for code quality issues using Code Climate. You can see results for this analysis in the PR status below. Newly introduced issues should be fixed before a Pull Request is considered ready to review.

Please see the contribution instructions for more information.

rafaelfranca
rafaelfranca reviewed Sep 27, 2018
View reviewed changes
activesupport/lib/active_support/core_ext/string/output_safety.rb Outdated

UNSAFE_STRING_METHODS.each do |unsafe_method|
if unsafe_method.respond_to?(unsafe_method)
if String.method_defined?(unsafe_method)
Copy link
Member

@rafaelfranca rafaelfranca Sep 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Speed is not a problem here. This loop only run once, UNSAFE_STRING_METHODS times, so I prefer to keep the respond_to?

Copy link
Contributor Author

@jaynetics jaynetics Sep 27, 2018

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@rafaelfranca OK, changed back.

@rafaelfranca rafaelfranca merged commit 47f2686 into rails:master Sep 28, 2018
@rafaelfranca
Copy link
Member

rafaelfranca commented Sep 28, 2018

Thanks!

SamSaffron added a commit to MiniProfiler/rack-mini-profiler that referenced this pull request Feb 5, 2019
@SamSaffron
FIX: attempt to run html_safe on script if available
f8042fc 
ActiveSupport SafeBuffer now html escapes on insert in Rails 6. This will
work around the issue by marking our injected script as safe.

See also: rails/rails#33990
tricknotes added a commit to tricknotes/bullet that referenced this pull request Nov 2, 2020
@tricknotes
Fix to render bullet notification as html safe string
1865f4d 
In Rails 6, the spec of `ActiveSupport::SafeBuffer#insert` has been changed.
Previously, it behaves like just String, but now `ActiveSupport::SafeBuffer` exactlly.
See for details: rails/rails#33990
tricknotes added a commit to tricknotes/bullet that referenced this pull request Nov 2, 2020
@tricknotes
Fix to render bullet notification as html safe string
5f52243 
In Rails 6, the spec of `ActiveSupport::SafeBuffer#insert` has been changed.
Previously, it behaves like just String, but now `ActiveSupport::SafeBuffer` exactly.
See for details: rails/rails#33990
@tricknotes tricknotes mentioned this pull request Nov 2, 2020
Merged
@tricknotes tricknotes mentioned this pull request Jan 6, 2021
Merged
@ggmichaelgo ggmichaelgo mentioned this pull request Oct 18, 2022
Closed
9 tasks
@flavorjones flavorjones mentioned this pull request Feb 10, 2023
Closed
CommitMe922 pushed a commit to CommitMe922/rack_mini_profiler that referenced this pull request Nov 21, 2024
@SamSaffron
FIX: attempt to run html_safe on script if available
db52713 
ActiveSupport SafeBuffer now html escapes on insert in Rails 6. This will
work around the issue by marking our injected script as safe.

See also: rails/rails#33990
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rafaelfranca rafaelfranca rafaelfranca left review comments

Assignees

@sgrif sgrif

Labels

activesupport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@jaynetics @rails-bot @rafaelfranca @sgrif @gmcgibbon