escaping stylesheet_link_tag

[kitop]

I'm using escape_utils with haml and i'm getting some weird output when i use = stylesheet_link_tag "generated/page" the output is link href="/stylesheets/generated/page.css?1285816823" media="screen" rel="stylesheet" type="text/css" / when it should be link href="/stylesheets/generated/page.css?1285816823" media="screen" rel="stylesheet" type="text/css" /

it's escaping the slashes, is that correct? the stylesheets load normally, but i think it shouldn't be escaped.

it's also happening on javascript_inclue_tag: script src="/javascripts/jquery.js?1266118505" type="text/javascript" /script and image_tag

both in development and production. using escape_utils 0.1.6 and haml 3.0.21 on rails3 (both with mongrel and passenger) ruby 1.8.7 and ruby 1.9.2

[kitop]

on another app, i'm using erb instead of haml and jammit to package assets and i have the same problem using <%= include_stylesheets :common %> i get link href="/stylesheets/style.css?1282679284" media="screen" rel="stylesheet" type="text/css" / but it does not happen with javascripts (also using jammit helper) or image_tag

[brianmario]

Yes that's on purpose. Take a look at issue #4 - where the escaping of / is suggested by the author of the ticket and also the OWASP (http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet). Escaping the / is perfectly safe(r) and works fine in all the modern browsers I tested it with. The reason you'd want this is because most browsers (and some HTML specs) attributes don't need to have quotes wrapped around them. Be that as it may, if the slash weren't escaped a malicious user would be able to pre-maturely end your tag and start their own (like a script tag with some malicious code in it).

We've been using this in production at HomeRun.com for a while now with no issues.