« InvalidAuthenticityToken for in_place_editing? | Main | Rails 1.2.6 security update »
Sunday
Jan062008

SafeErb for Rails 2

DateSunday, January 6, 2008 at 5:07PM

Update: See this comment for how to fix problems with HelperMethods.

You might have noticed that the SafeErb plugin does not work in Rails 2 applications. That is because of old method signatures used in the plugin. The author has put up a blog post (in japanese) about a new version created by Aaron Bedra which points to this plugin installer (possibly replace http by svn):

./script/plugin install http://safe-erb.rubyforge.org/svn/plugins/safe_erb

The author has tested it with Rails 2.0.2 and it works fine. On my system however, it has problems with methods from the FormHelper (text_field and so on), most likely because of the output values in the value parameter. Does this happen on your system, as well? I hope to find a fix for that. Apart from that, the plugin works fine for Rails 2 applications.

Thanks to hurx for sending me his version. A happy new year to you all. 

AuthorHeiko | Comment7 Comments |

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (7)

I would be happy to fix any bugs that are in present for you. My site is down due to me moving, but it should be back up sometime tomorrow evening. Send me any issues along with the offending code snippets. You can find me at my first name at thinkrelevance.com

January 8, 2008 | Unregistered CommenterAaron Bedra

It does not work for any method, that uses the ActionView TagHelper. The internals of "escape_once" has changed in Rails 2.0.

To fix this, you can put this code at the end of rails_2.rb from Aarons plugin version:

module ActionView::Helpers::TagHelper
alias :rails_original_escape_once :escape_once
def escape_once(html)
rails_original_escape_once(html).untaint
end
end

January 12, 2008 | Unregistered Commenterhurx

hurx,

Thanks a million. I've been fighting with rails 2+ safe_erb for about half a day now and getting some really head-scratching safe_erb errors (all related to code generated from helpers). The code above did the trick. Thanks again.

January 18, 2008 | Unregistered CommenterBen

Curious how this works if you use haml templates instead of ERB? Has anyone tried it out?

January 22, 2008 | Unregistered CommenterGlenn

Glenn,

this project
http://code.google.com/p/xss-shield/
promises to work with HAML, but I didn't check it out...

February 12, 2008 | Unregistered CommenterHeiko

I hope I can improve through learning this respect. But overall, it's very nice. Thank you for your share!

June 24, 2010 | Unregistered CommenterAcronym List

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.