search

edgarjs / ajaxful-rating

Provides a simple way to add rating functionality to your application.
http://rdoc.info/projects/edgarjs/ajaxful-rating
417 stars 127 forks source link

escaping HTML #18

Closed majkiw closed 14 years ago

majkiw commented 14 years ago

With Ruby 1.9.1 on Rails 3 when I call helper ratings_for all the

  • tags are changed to <li> It appears that in function AjaxfulRating::StarsBuilder::ratings_tag when calling stars.join in the last line stars are converted from ActiveSupport::SafeBuffer to String which later causes escaping. My workaround - concatenate them instantly without array and join: def ratings_tag width = (show_value / rateable.class.max_stars.to_f) * 100 li_class = "axr-#{show_value}-#{rateable.class.maxstars}".gsub('.', '') @css_builder.rule('.ajaxful-rating', :width => (rateable.class.max_stars * 25)) @css_builder.rule('.ajaxful-rating.small', :width => (rateable.class.max_stars * 10)) if options[:small]

      stars = @template.content_tag(:li, i18n(:current), :class => "show-value", :style => "width: #{width}%")
  (1..rateable.class.max_stars).each do |i|
    stars << star_tag(i)
  end
  @template.content_tag(:ul, stars, :class => "ajaxful-rating#{' small' if options[:small]}")
end
    • edgarjs commented 14 years ago

    Thank you for letting me know. The rails3 branch isn't functional yet, only generators have been updated.

    In rails3, any string will be scaped in view outputs. To avoid it you need to flag the string with html_safe! like: "<li>".html_safe!

    2case commented 14 years ago

    how do we fix this under ruby 1.9.1 and rails 2.3.8 with rails_xss plugin installed?

    edgarjs commented 14 years ago

    v2.2.7 of the plugin now handles this. Please update your gem.