-
-
Notifications
You must be signed in to change notification settings - Fork 571
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HAML+Rails can lead to doubly escaped attributes #1051
Comments
For that code, there should be no problem to write
Could you also show the code that sets the value returned from
Seems like this is what you want. Because I haven't seen a case where it's needed and the underlying escape method used by |
Thanks Takashi. https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/capture_helper.rb I wonder if anyone else is encountering this issue. |
Thanks.
Now I get your use case, but I don't think we should escape quotes in Haml's case. The most important question is, do you really want to doubly escape Either way, could you try |
We are experimenting with Ideally HAML wouldn't html_escape attribute values if they were already marked safe. I think the CVE was intended to address things like Regardless, I'm quite happy with the fix :) Totally up to you if you want to take further action. Thank you for your help and your work on HAML! |
👍 Updated the document 77ccce6. |
This behavior was introduced with #1028, which is related to CVE-2016-6316. Here is a test case:
In our Rails app it's common to write code like so:
%meta{ property: "og:title", content: content_for(:og_title) || "App Name" }
This code used to work great, because HAML helpfully determined whether or not the value is html_safe and escaped as necessary. The new behavior escapes regardless, resulting in double escaping. Potential fixes:
Haml::Template.options[:escape_attrs] = :once
. (is this correct?)Do I have that correct? I've spent a few hours investigating but I could easily have missed something important.
The text was updated successfully, but these errors were encountered: