search

NZKoz / rails_xss

A plugin for rails 2.3.5 applications which switches the default to escape by default. Later versions should use rails/rails_xss
MIT License
215 stars 39 forks source link

join and html_safe #15

Closed ghazel closed 14 years ago

ghazel commented 14 years ago

String addition seems to make the output html_safe if the components were, but String#join does not. I believe it should be safe. Is there some case where it won't be?

a = "a".html_safe!
b = "b".html_safe!
c = "-".html_safe!

(a+c+b).html_safe? #=> true
[a,b].join(c).html_safe? #=> nil
NZKoz commented 14 years ago

This can't be implemented without completely overriding Array#join, unfortunately this was too intrusive and expensive, you'll have to manually mark those strings as safe.

ghazel commented 14 years ago

Overring Array#join was too expensive, but overriding String#+ was not?

How about something like this?

class Array def html_safe_join(s) if s.html_safe? and all?{|x| x.html_safe? } return join(s).html_safe! end join(s) end end

NZKoz commented 14 years ago

Overriding String#+ actually was pretty expensive, so it's not there in master any more. where a simpler and more consistent approach is taken.

http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/

So yeah, I'll leave this closed