The basic String#join makes its output unsafe in all cases. This might have been causing unwanted and problematic escaping in some cases. This PR removes the use of String#join. It should still escape unsafe strings passed in from the calling code, while not escaping anything that is already safe. However, that's something reviewers should put some thoughts into, and comment on.
This PR may cause some text to be escaped that wasn't previously escaped, but those cases would have been potentially security vulnerabilities, so I think it's justifiable in closing that possible loophole. The fix would be for the calling code to pass its string as string.html_safe if the code is confident the string is safe (i.e. it doesn't come from the user or the database or something external). If the string wasn't safe, then it should get escaped.
The basic
String#joinmakes its output unsafe in all cases. This might have been causing unwanted and problematic escaping in some cases. This PR removes the use ofString#join. It should still escape unsafe strings passed in from the calling code, while not escaping anything that is already safe. However, that's something reviewers should put some thoughts into, and comment on.This PR may cause some text to be escaped that wasn't previously escaped, but those cases would have been potentially security vulnerabilities, so I think it's justifiable in closing that possible loophole. The fix would be for the calling code to pass its string as
string.html_safeif the code is confident the string is safe (i.e. it doesn't come from the user or the database or something external). If the string wasn't safe, then it should get escaped.