searchlogic icon indicating copy to clipboard operation
searchlogic copied to clipboard

Published 20 hours ago verified publisher icon binarylogic

Rails Helpers in order uses HTML Entities which dont play nice with Rails+XSS

Open asanghi opened this issue 15 years ago • 2 comments

Hey,

Order helper method uses HTML Entities ▲ and ▼ to show the Up and Down arrows. This is then used to create the link's name. However because of rails_xss (which i believe will be default in Rails 3 and can be optionally switched on in 2.3.8 with rails_xss plugin), this gets escaped and I see &$9650; in the output.

searchlogic-2.4.19/lib/searchlogic/rails_helpers.rb" line 47 of 7

I believe we need to do "html_safe" (or "html_safe!" on older versions) to get this to be right.

<< link_to (options[:as]), url_for(url_options), html_options

link_to (options[:as]).html_safe, url_for(url_options), html_options

Or something to that effect.

Cheers, Aditya

asanghi avatar May 27 '10 10:05 asanghi

I thouht link_to output was marked as html_safe. I have the same problem though.

Solution mentioned works.

eet-nu avatar Jun 09 '10 14:06 eet-nu

Hello, i want remove the arrows from links to apply another images based in class. How i can do that?

marco-martins avatar Nov 03 '11 23:11 marco-martins