Because these strings contain no HTML elements and the basic entities are escaped, they are safe to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping entities when being concatenated to a SafeBuffer during rendering. Fixes https://github.com/rails/rails-html-sanitizer/issues/124
1.6 KiB
-
Strings returned from
strip_tags
are correctly taggedhtml_safe?
Because these strings contain no HTML elements and the basic entities are escaped, they are safe to be included as-is as PCDATA in HTML content. Tagging them as html-safe avoids double-escaping entities when being concatenated to a SafeBuffer during rendering.
Fixes rails/rails-html-sanitizer#124
Mike Dalessio
-
Move
convert_to_model
call fromform_for
intoform_with
Now that
form_for
is implemented in terms ofform_with
, remove theconvert_to_model
call fromform_for
.Sean Doyle
-
Fix and add protections for XSS in
ActionView::Helpers
andERB::Util
.Escape dangerous characters in names of tags and names of attributes in the tag helpers, following the XML specification. Rename the option
:escape_attributes
to:escape
, to simplify by applying the option to the whole tag.Álvaro Martín Fraguas
-
Extend audio_tag and video_tag to accept Active Storage attachments.
Now it's possible to write
audio_tag(user.audio_file) video_tag(user.video_file)
Instead of
audio_tag(polymorphic_path(user.audio_file)) video_tag(polymorphic_path(user.video_file))
image_tag
already supported that, so this follows the same pattern.Matheus Richard
-
Ensure models passed to
form_for
attempt to callto_model
.Sean Doyle
Please check 7-0-stable for previous changes.