New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rails escapes Vue syntax #44972
Comments
@hiromichinomata we also faced the same regression, we switched to the |
Same problem with Haml and Vue.js since we upgraded from Rails 7.0.2.3 to 7.0.2.4. |
Very similar issue with angular property binding syntax "[key] => 'value'" (rails 6.0.4.8) In my particular case all the keys and values were fully under my control so I can escape: false... But ideally I don't want to have to escape both keys and values at the same time since I might own the keys, not the values... To my knowledge there is no equivalent syntax without brackets (like v-on in Vuejs) so I might have a big issue if I don't own the values quick edit: it seems that bind-key works, so I can use that |
Vue.js, alpinejs, and potentially other JS libraries support tags starting with `@` symbols. This was broken by the recent security release in 649516c I've only added `@` to the list even though there are potentially other safe characters. We can add more if necessary (and if safe). Fixes: * #45014 * #44972
I fixed this in #45027 and backported it to all the versions of Rails. I'll do a release tomorrow or early next week. |
Thank you very much! |
Thanks a lot, @eileencodes! |
Closing as the release went out this morning. Hope that fixes the issue for you! |
Note for anyone following along behind me:
|
Steps to reproduce
123f42a changed the behavior of Rails.
As far as I checked code,
@
in not included in COMMON_DANGEROUS_CHARS.Is this expected behavior?
in haml file
Expected behavior
In 6.1.5,
@change
still appears in generated HTMLActual behavior
In 6.1.5.1,
@change
is escapedSystem configuration
Rails version:
6.1.5.1
Ruby version:
2.7.5
The text was updated successfully, but these errors were encountered: