Closed chr1s1 closed 8 years ago
updated description as & was transformed to &
+1
+1 Any solution to this problem? I reverted to 2.0.0 and this problem doesn't occur.
+1 same problem in keyword and description if I use e.g. John's
Put this code in meta_tags.rb
file under config/initializers
and restart your app:
module MetaTags
# Module contains helpers that normalize text meta tag values.
module TextNormalizer
def self.truncate(string, limit = nil, natural_separator = ' ')
string = helpers.truncate(string, length: limit, separator: natural_separator, omission: '', escape: false) if limit
string
end
def self.normalize_keywords(keywords)
return '' if keywords.blank?
keywords = cleanup_strings(keywords).each(&:downcase!).map(&:html_safe)
separator = strip_tags MetaTags.config.keywords_separator
keywords = truncate_array(keywords, MetaTags.config.keywords_limit, separator)
safe_join(keywords, separator)
end
end
end
This works only for version 2.1.0!!!
The problem is, that the strings gets encoded twice. Truncate gets as parameter an escaped string and don't needs to escape the string again. safe_join
needs all keywords as html_safe
because the keywords has been encoded with cleanup_strings
just before.
@phlegx that doesn't solve the title problem. You have #85 and #105 open for that
This is now an issue for everyone that wants to upgrade to the Rails 4.2.5.1 security patch
@mrfoto why? My title is shown correctly with the above code. I take a look at the linked issues. Thx @prosanelli, here more about the patch http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/
Rails rails-html-sanitizer gem (included in Rails 4.2 and above) has a security alert. This gem includes used method strip_tags
.
Put this code in meta_tags.rb
file under config/initializers
and restart your app to test:
module MetaTags
# Module contains helpers that normalize text meta tag values.
module TextNormalizer
def self.strip_tags(string)
ERB::Util.html_escape helpers.sanitize(string)
end
end
end
@phlegx So the solution would be chaning https://github.com/Elektron1c97/meta_tags-rails/blob/master/lib/meta_tags-rails/text_normalizer.rb#L74 <= this line
to
def self.strip_tags
ERB::Util.html_escape helpers.sanitize(string)
end
?
Should be resolved in https://github.com/kpumuk/meta-tags/pull/120
Hi! In the new version 2.4.0 I get this description and this keywords as example:
Description tag:
Don't ...
Keywords Tag
keyword1, don&#39;t
The description tag is ok but not the keyword because &
of '
gets re-sanitized. Any idea?
I found that the following code at text_normalizer.rb#L98 re-encodes the keywords:
def self.safe_join(array, sep = $,)
helpers.safe_join(array, sep)
end
This function is called by text_normalizer.rb#L57.
def self.normalize_keywords(keywords)
return '' if keywords.blank?
keywords = cleanup_strings(keywords).each(&:downcase!)
separator = strip_tags MetaTags.config.keywords_separator
keywords = truncate_array(keywords, MetaTags.config.keywords_limit, separator)
# variable keywords should be an array of raw elements because cleanup is always done on line 59.
safe_join(keywords, separator)
end
Hi @siegy22 and @kpumuk! I use latest version 2.4.0. I have solved the problem described in the last comment with this code:
module MetaTags
module TextNormalizer
def self.normalize_keywords(keywords)
return '' if keywords.blank?
keywords = cleanup_strings(keywords).each(&:downcase!)
separator = strip_tags MetaTags.config.keywords_separator
keywords = truncate_array(keywords, MetaTags.config.keywords_limit, separator)
# Replace safe_join with simple join.
# safe_join produces from don't the re-escaped string don&#39;t
keywords.join(separator)
end
end
class Tag
def render(view)
# Method tag don't accepts symbols as option values.
attributes.each { |k, v| attributes[k] = v.to_s if v.is_a?(Symbol) }
# Keywords don't should be re-escaped.
escape = attributes[:name] == 'keywords' ? false : true
# Method tag re-escapes keywords values.
# tag(name, options = nil, open = false, escape = true)
view.tag(name, attributes, false, escape)
end
end
end
Whit this changes I have all meta tags (title, description, keywords, etc.) escaped in the right way. This is not an elegant way but it shows how the problem can be solved. The attributes as a symbol can be changed in file renderer.rb using a string instead of a symbol e.g.:
render_with_normalization(tags, 'description')
render_with_normalization(tags, 'keywords')
Hi,
I experienced a weird behaviour of the meta_tags title:
If i have a title like "This is a awesome title & it is short" then it will be transformed to "This is a awesome title & it is short" which is not what I want as browsers like chrome actually show the &. I tried to put an decode function around the title, but nothing seems to work. Any idea where this comes from and how I am able to change it?
Chris