search

binarylogic / searchlogic

Searchlogic provides object based searching, common named scopes, and other useful tools.
http://rdoc.info/projects/binarylogic/searchlogic
MIT License
1.39k stars 133 forks source link

Rails Helpers in order uses HTML Entities which dont play nice with Rails+XSS #97

Open asanghi opened 14 years ago

asanghi commented 14 years ago

Hey,

Order helper method uses HTML Entities ▲ and ▼ to show the Up and Down arrows. This is then used to create the link's name. However because of rails_xss (which i believe will be default in Rails 3 and can be optionally switched on in 2.3.8 with rails_xss plugin), this gets escaped and I see &$9650; in the output.

searchlogic-2.4.19/lib/searchlogic/rails_helpers.rb" line 47 of 7

I believe we need to do "html_safe" (or "html_safe!" on older versions) to get this to be right.

<< link_to (options[:as]), url_for(url_options), html_options

link_to (options[:as]).html_safe, url_for(url_options), html_options

Or something to that effect.

Cheers, Aditya

eet-nu commented 14 years ago

I thouht link_to output was marked as html_safe. I have the same problem though.

Solution mentioned works.

marco-martins commented 12 years ago

Hello, i want remove the arrows from links to apply another images based in class. How i can do that?