Michael Koziarski
Michael Koziarski
Some refactoring is required in order to support this, but yes, it's on the list. Thanks for reporting it and giving me a github issue ;)
@minaguib: image_tab, and render :partial both return safe strings so will work fine. The catch with this one is that we can't put these escape calls into 2-3-stable as it'll...
Guys, link_to can and _will_ work this way in 3.0 We'll fix that. However we _can't_ just make that change in 2.3.x without busting people's apps. So I think what...
@ryanb: No need to overthink the problem here, you can just blindly escape the relevant parameters and rely on the idempotency to handle all the weird cases. Using content_tag seems...
the cache case looks like it could be a bug Could you paste the implementation of your tab / flash helpers into a gist for me to take a look...
Yes, you'll need to either call raw in your views, or modify your helpers to pre-mark those strings as safe. e.g. `(result + css).html_safe!` A String is considered safe ONLY...
Yes, it's already been included ;)
The first case is an interesting one, it's not 'html_safe?' because there's the + "\n" in there, another option would be to make String#+ _escape_ it's other operands instead of...
yeah, \n isn't 'unsafe' in the sense that it's an attack vector, but with the new xss code _everything_ is considered unsafe unless marked safe. So the options when adding...
Yep, everything was fine after I re-ran everything. This issue isn't about the questionable quality of my internet connection though, more that the whole process should have bailed out completely...