lib/rails_xss/erubis.rb add_expr_literal() has issues with 'raw' inside strings.

NZKoz / rails_xss

A plugin for rails 2.3.5 applications which switches the default to escape by default. Later versions should use rails/rails_xss

MIT License

215 stars 39 forks source link

lib/rails_xss/erubis.rb add_expr_literal() has issues with 'raw' inside strings. #20

Closed saschpe closed 13 years ago

saschpe commented 14 years ago

Consider the following template snippet:

<%= linkto 'foo raw bar', 'foo' %>

This fails in version rails_xss-0.1.3 in lib/rails_xss/erubis.rb:15 in the regex query that looks for 'raw'. It should also check if the match is inside a string expression.

saschpe commented 13 years ago

Seems to be fixed in the rails/rails_xss fork