add escape_filter_interpolations option #984
Conversation
Set `escape_interpolated_html` to `false` for backwards compatibility with haml 4 defaults.
| @@ -13,6 +13,7 @@ class TempleEngine < Temple::Engine | |||
| encoding: nil, | |||
| escape_attrs: true, | |||
| escape_html: false, | |||
| escape_interpolated_html: nil, | |||
There was a problem hiding this comment.
To make sure it's a boolean flag, the default value should be false instead of nil.
There was a problem hiding this comment.
Ah, okay I understood your intention. So probably you intends to mean absence of this option here. Never mind.
|
While I understand why you would need this, as it is just a migration path from 4 to 5 and there is no reason to recommend keeping the vulnerable behavior, I don't like to introduce this as official option, which we need to maintain forever. I even think having both
Given the situation, I would like to have Ruby 2.5 support in https://github.com/haml/haml/tree/stable. Obviously that's the best path to avoid "refactoring large amounts of existing application code", right? Also, the bug which was fixed for Ruby 2.5 at v5.0.4 was introduced at Haml v5. In my understanding, it doesn't affect Haml v4. Thus I can't think of any reason to upgrade your Haml to 5.0.4+ only for using Ruby 2.5. For your safe Ruby upgrade, please use Haml 4 as it is. If it doesn't work with Ruby 2.5, please report it separately. |
|
closing due to inactivity |
The original behavior had safe usage patterns ( |
{a: "<script>alert('hello');</script>"}.to_json #=> "{\"a\":\"<script>alert('hello');</script>\"}" |
|
rails activesupport version of to_json escapes by default https://github.com/rails/rails/blob/master/activesupport/lib/active_support/json/encoding.rb#L42 in a rails console your example outputs: in the following example (with html encoding turned off) the - script_injector_string = "</script><script>alert('injected')</script>"
:javascript
#{script_injector_string.to_json};
:javascript
#{script_injector_string.inspect}; <body>
<script>
"\u003c/script\u003e\u003cscript\u003ealert('injected')\u003c/script\u003e";
</script>
<script>
"</script><script>alert('injected')</script>";
</script>
</body>
To avoid porting old code on upgrade. |
This was intended for the html_safe/raw suggestion |
if to_json did not escape, calling html_safe/raw on it would not be good advice, because you would end up where you started, with a theoretical possibility of script injection. The following injects. - script_injector_string = "</script><script>alert('injected')</script>"
:javascript
#{JSON.dump(script_injector_string).html_safe};If you did not want to depend on the protection of rails to_json, the proper workaround would be to let haml html escape the to_json output, wrap it in quotes and then on the javascript side, html decode it, then JSON.parse the result. Considering that html decoding is not even a js builtin, this is getting pretty cumbersome. I hope this underscores the need for this option. If you are already using to_json, having to port to .to_json.html_safe is entirely pointless, as you are still protected by to_json. Much better to set an option and leave the already safe and simple code alone. |
|
@k0kubun so would you consider adding an and |
Interesting. So this is really Rails-specific issue. Ideally this discussion should go to haml-rails repository but Haml's extension for Rails still exists in haml for now, so I'll talk about it here for now. Could you confirm the following parts?
The affected templates are only Haml templates with Ultimately, I would recommend using data attribute to pass values to JavaScript safely, so I don't think this is a reasonable use case and I'm reluctant to support such feature to let people move towards that way. I hope gives the answers to both comments. I'm actually not recommending |
yes
I also have a bunch of :plain filters inside %script tags, I think to be able set attributes of the script tag, which :javascript does not let you do
In one particular project there were ~ 250.
Since the safety concern has been dismissed, you are presenting no argument for why it's unreasonable, simply asserting it, whereas I gave you two compelling ones, here they are again:
|
Small aside, escape_interpolated_html is not a good name, it reads the same as the exiting escape_html, the new one would need to be called escape_filter_interpolations or just escape_filters. I am not clear on what you are saying I could provide? Another use-case? |
|
Hmm, fine. Your use case makes sense as an easy migration step of Haml 4 -> 5. I'll merge this patch and refine the name. I'll use the name |
k0kubun
changed the title
|
thanks, confirming that it's working |
Update ruby-haml to 5.1.2. pkgsrc change: add "USE_LANGUAGES= # none". ## 5.1.2 Released on August 6, 2019 ([diff](haml/haml@v5.1.1...v5.1.2)). * Fix crash in some environments such as New Relic by unfreezing string literals for ParseNode#inspect. [#1016](haml/haml#1016) (thanks [Jalyna](https://github.com/jalyna)) ## 5.1.1 Released on May 25, 2019 ([diff](haml/haml@v5.1.0...v5.1.1)). * Fix NameError bug for that happens on ruby 2.6.1-2.6.3 + haml 5.1.0 + rails 4.2.x + erubi. (Akira Matsuda) ## 5.1.0 Released on May 16, 2019 ([diff](haml/haml@v5.0.4...v5.1.0)). * Rails 6 support [#1008](haml/haml#1008) (thanks [Seb Jacobs](https://github.com/sebjacobs)) * Add `escape_filter_interpolations` option for backwards compatibility with haml 4 defaults [#984](haml/haml#984) (thanks [Will Jordan](https://github.com/wjordan)) * Fix error on empty :javascript and :css filter blocks [#986](haml/haml#986) (thanks [Will Jordan](https://github.com/wjordan)) * Respect changes in Haml::Options.defaults in `Haml::TempleEngine` options (Takashi Kokubun) * Un-freeze TempleEngine precompiled string literals [#983](haml/haml#983) (thanks [Will Jordan](https://github.com/wjordan)) * Various performance/memory improvements [#965](haml/haml#965), [#966](haml/haml#966), [#963](haml/haml#963) (thanks [Dillon Welch](https://github.com/oniofchaos)) * Enable `frozen_string_literal` magic comment for all .rb files [#967](haml/haml#967) (thanks [Dillon Welch](https://github.com/oniofchaos))
Addresses points raised in (closed issue) #940, by allowing optional backwards compatibility to work around breaking changes introduced by #770 (released in
5.0.0).This PR is mostly intended for migrating large/legacy applications written against the v4 API, that want to upgrade to v5 while avoiding time-intensive application refactoring (e.g., #940 (comment)).
My particular use-case is a need to upgrade
hamlto>= 5.0.4for Ruby 2.5 support without refactoring large amounts of existing application code.Introduces a new
escape_interpolated_htmloption (defaults to the current value ofescape_htmlfor backwards compatibility with existing5.xdefault behavior), which can be used to override the behavior for escaping HTML in interpolated strings separately from other html-escaping behavior.With this option, it's possible to set
Haml::Template.options[:escape_interpolated_html] = false(e.g., in a Rails initializer) for full backwards compatibility with v4 behavior, without any further changes to existing application code.