Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #3354 (closed defect: fixed)

Opened 4 years ago

Last modified 2 years ago

Attribute values are not escaped in rxml

Reported by: phil.ross@gmail.com Assigned to: David
Priority: normal Milestone:
Component: ActionPack Version: 1.0.0
Severity: normal Keywords: rxml Builder XmlMarkup escape
Cc:

Description

The version of Builder included in Rails and used for rxml files does not escape attribute values before inserting them into the XML. For example, 

xml.tagname('attrib' => 'val"ue')

produces the invalid output: 

<tagname attrib="val"ue"/>

rather than the correct output: 

<tagname attrib="val&quot;ue"/>

A change has been committed to the Builder CVS that supports escaping attribute values when a new :escape_attrs option is switched on (see http://rubyforge.org/cgi-bin/viewcvs.cgi/builder/lib/builder/xmlmarkup.rb?root=builder&r1=1.3&r2=1.4 and http://rubyforge.org/cgi-bin/viewcvs.cgi/builder/lib/builder/xmlbase.rb?root=builder&r1=1.2&r2=1.3).

RXML in Rails should be changed to either escape attribute values by default, or provide a means to switch escaping on.

Change History

03/18/06 21:20:54 changed by edibiase@mspoke.com

This is burning us even when we just try to use Builder for non-RXML-related purposes. The issue seems to have been resolved in Builder 2.0.

04/27/06 20:50:10 changed by phil.ross@gmail.com

  • status changed from new to closed.
  • resolution set to fixed.

Builder 2.0 has now been committed (http://dev.rubyonrails.org/changeset/4260).

07/22/06 21:24:59 changed by JohnDouthat@gmail.com

  • status changed from closed to reopened.
  • resolution deleted.

more updates here: #5000

05/05/07 18:28:41 changed by watson

I've tested this on trunk, and the issue is fixed.

( copenhagen.rb rails patch day )

05/31/07 09:47:46 changed by csshsh

  • status changed from reopened to closed.
  • resolution set to fixed.