-
-
Notifications
You must be signed in to change notification settings - Fork 571
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrading from 5.1.2 to 5.2.2 #1078
Comments
It looks like this is intentional and only by completely turning off escaping attrs globally does it work again. I'm not sure how the latest version caused this to start happening but would it be possible for attributes to allow html_safe strings? |
We're being consistent with Rails in the way we approach the "vulnerability" with a CVE. Rails helpers escape attributes even if you pass an |
This seems like a breaking change. We've got a bunch of handlebars style templates in our haml and upgrading causes quite a bit of breakage in our app: - class_name = "requested-field {{= required ? 'required' : '' }}".html_safe
%div{ class: class_name } the |
And a string that used to parse correctly is now being over-encoded:
The result is that the apostrophe's around
profile
are encoded as:The text was updated successfully, but these errors were encountered: