New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
escape_attrs wraps incorrectly? #1019
Comments
First approach in #1020, I think the wrapper should be via However, if implemented globally, we could avoid concatenating the |
Even with the patch, I noticed that some attributes were not escaped correctly. This happens with def compile_common_attribute(key, values)
var = unique_name
[:multi,
[:code, "#{var} = (#{merged_value(key, values)})"],
[:case, var,
['Hash', runtime_build([AttributeValue.new(:dynamic, key, var)])],
['true', true_value(key)],
['false, nil', [:multi]],
[:else, [:multi,
[:static, " #{key}=#{@attr_wrapper}"],
[:escape, @escape_attrs, [:dynamic, var]],
[:static, @attr_wrapper]],
]
],
]
end This is where the concatenation happens, however it's just preparing it to be passed to Temple, I think, and this is where I got stuck. The issue is getting bigger, it seems. |
Your use case sounds legit. If you don't mind, I'd be interested to see a minimum project which reproduces the issue using both Haml and Vue so that we can confirm it's fixed while thinking about some options. Let me ask a few questions about your proposal:
|
Hey @k0kubun, here's the minimum project you requested, you can clearly see both issues with and without html_safe being called: https://github.com/faelsoto/hamltest (Just install and head to the root) Regarding both questions, I think both are great since they don't break the HTML. |
Great, thank you for your help! In this app, when I click the first
|
While it's not causing an issue on the first link, the html entities might not be what it's expected, and if you ask me, there should be a way to turn them off because if this attribute has a JSON-encoded string, it will be much larger than it needs to be. However, it doesn't cause any issues because the JS parser is very lenient, I guess. But yeah, the second link is where the issue is obviously seen. |
OK, so in your hamltest app, we see two different issues:
1 seems the main thing reported by this issue, so I'm not gonna close this issue as duplicated. Because Do you want both 1 and 2 to be fixed, or is fixing 2 more important than 1 for the time being? |
Oh, I totally forgot about |
Regarding the same idea of #984, we're migrating an app to newer Ruby/Rails versions, and it seems that the 4.x behavior isn't complete with just
escape_interpolated_html
, as the attributes are being a little weird.On 4.x:
On 5.1.2:
This change breaks the inline templates for libraries like Vue. Digging in the code, I find
escape_attrs
, which doesn't help on either version, both outputting:Is this the expected output? I'm not seeing a case in which I would like to break out of the attribute value, I think this is a security issue.
I found that the
attr_wrapper
option can be assigned to a symbol that will wrap the attribute (single quotes by default), but this would break whenever the attribute value has the same value.My proposal is to call inspect for the attribute value:
Does that make sense? Should I start working on a PR or is it part of the spec or wontfix?
The text was updated successfully, but these errors were encountered: