Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #5929 (new defect)

Opened 2 years ago

Last modified 1 year ago

[PATCH] ActionView::Helpers::FormTagHelper.text_area_tag does not escape values

Reported by: sven@c3d2.de Assigned to: David
Priority: high Milestone:
Component: ActionPack Version: 1.1.6
Severity: critical Keywords:
Cc:

Description

The content of <textarea> tags should be escaped. 

def test_text_area_tag_escape_content
  actual = text_area_tag "body", "</textarea><script>alert('xss');<script>", :size => "20x40"
  expected = %(<textarea cols="20" id="body" name="body" rows="40">&lt;/textarea&gt;&lt;script&gt;alert('xss');&lt;script&gt;</textarea>)
  assert_dom_equal expected, actual
end

Attachments

test.patch (0.7 kB) - added by sven@c3d2.de on 08/28/06 01:09:34.
patch for the testcases to add a test for this bug
escape_text_input_contents.diff (2.5 kB) - added by Chris Mear <chris@odegy.com> on 08/28/06 03:25:53.
Fixes this, and adds an :escape => false option in case you do want unescaped contents.

Change History

08/28/06 01:09:34 changed by sven@c3d2.de

  • attachment test.patch added.

patch for the testcases to add a test for this bug

08/28/06 03:25:53 changed by Chris Mear <chris@odegy.com>

  • attachment escape_text_input_contents.diff added.

Fixes this, and adds an :escape => false option in case you do want unescaped contents.

08/28/06 03:26:23 changed by Chris Mear <chris@odegy.com>

  • summary changed from ActionView::Helpers::FormTagHelper.text_area_tag does not escape values to [PATCH] ActionView::Helpers::FormTagHelper.text_area_tag does not escape values.

09/02/06 08:16:41 changed by david

  • keywords set to unverified.

To preserve backwards compatibility, among other reasons, this needs to be flipped. We add the :escape => true if we want to have something escaped. Otherwise, we'd break all the apps that use text_area_tag for editing content with intentional HTML. (Removed unverified keyword when complete).

(follow-up: ↓ 5 ) 09/02/06 09:30:29 changed by Chris Mear <chris@odegy.com>

I don't think we would break anything (unless someone has written code to work around the current broken text_area_tag implementation). If there's a '&' in your text area content that is intended to be edited as a '&', but is not intended to be parsed by your browser as part of your HTML document, then it should be escaped as '&amp;'.

It's exactly the same as the way that the 'value' attribute of a text field input gets automatically escaped when it goes through tag().

In other words, the current text_area_tag():

  1. generates bad HTML by default;
  2. is inconsistent with text_area() (which does escape the content);
  3. is inconsistent with all the other _tag() helpers (which do escape their values).

In the face of the above, I really think the default behaviour ought to be changed.

(in reply to: ↑ 3 ) 09/18/06 11:53:00 changed by chrismear

If anyone wants a demonstration of this, just set up a controller with: 

@content = params[:content]

and a view with: 

<%= form_tag %>
  <p><%= text_area_tag('content', @content) %></p>
  <p><%= submit_tag %></p>
<%= end_form_tag %>

Now, if you type in "<b>Hello & Goodbye!</b>" and hit submit a few times, you'll see that your angled brackets survive. But this is just an accident: it only works because the browser is being lenient with the shoddy HTML that text_area_tag is producing.

Now type in "&lt;b&gt;Hello &amp; Goodbye!&lt;/b&gt" (imagine you're writing a blog post and you want to demonstrate some HTML or something). Hit submit, and you'll see that a roundtrip to the server completely obliterates your carefully-typed entities. It spits them back literally into the HTML for the textarea tag, and your browser treats them as it should -- entities representing literal <, > and & characters in the content.

To fix this, all you need is a to change @content to h(@content). You'll see that the first test case still works perfectly as before, but now the second case works too.

07/19/07 23:29:30 changed by lifofifo

  • keywords deleted.