One way to fix this is by using the new line character (\n) instead of the
new line tag in the error message. However, this doesn't work too because
the backslash is also being HTML escaped.
That brings me to suggest to use sanitize
<http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html>
after doing the HTML escape and by that replacing the new-line tag with the
new-line character in the error message.
Unless you have a better idea, I can do this change and submit a PR.
I think you can mark all the strings containing the '<br>' tags as .html_safe which will cause them to be marked as SafeBuffers.
If I'm not mistaken this will provide better performance then sanitizing the entire strings.
see here for more info: http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/
···
----- Original Message -----
From: "boaz s"
To: foreman-dev@googlegroups.com
Sent: Saturday, August 16, 2014 9:52:35 PM
Subject: [foreman-dev] HTML tags in error messages
One way to fix this is by using the new line character (\n) instead of the
new line tag in the error message. However, this doesn’t work too because
the backslash is also being HTML escaped.
That brings me to suggest to use sanitize http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
after doing the HTML escape and by that replacing the new-line tag with the
new-line character in the error message.
Unless you have a better idea, I can do this change and submit a PR.
We've fixed a few similar instances, and I'd suggest simply changing it
to use .to_sentence or .join(',') on the array rather than worrying
about new lines.
···
On 16/08/14 19:52, boaz s wrote:
> Hi there,
>
> I have noticed that new-line tags ( ) are shown in error messages and
> would like to fix this.
> Actually, I see that someone has already submitted a bug in the Issue
> Tracker: http://projects.theforeman.org/issues/6903.
>
> From what I have seen, the error message is sent (for instance, from
> app/controllers/hosts_controller.rb:404
> )
> by using the /error method/ that its definition is in
> app/controllers/application_controller.rb:172
> .
> There, the error message is being HTML escaped to avoid XSS attacks, but
> on the same time, making the HTML being a part of the error message.
>
> One way to fix this is by using the new line character (\n) instead of
> the new line tag in the error message. However, this doesn't work too
> because the backslash is also being HTML escaped.
> That brings me to suggest to use sanitize
>
> after doing the HTML escape and by that replacing the new-line tag with
> the new-line character in the error message.
>
> Unless you have a better idea, I can do this change and submit a PR.
···
On Monday, August 18, 2014 10:25:27 AM UTC+3, Dominic Cleal wrote:
>
> On 16/08/14 19:52, boaz s wrote:
> > Hi there,
> >
> > I have noticed that new-line tags ( ) are shown in error messages and
> > would like to fix this.
> > Actually, I see that someone has already submitted a bug in the Issue
> > Tracker: http://projects.theforeman.org/issues/6903.
> >
> > From what I have seen, the error message is sent (for instance, from
> > app/controllers/hosts_controller.rb:404
> > <
> https://github.com/theforeman/foreman/blob/develop/app/controllers/hosts_controller.rb#L404>)
>
> > by using the /error method/ that its definition is in
> > app/controllers/application_controller.rb:172
> > <
> https://github.com/theforeman/foreman/blob/develop/app/controllers/application_controller.rb#L172>.
>
> > There, the error message is being HTML escaped to avoid XSS attacks, but
> > on the same time, making the HTML being a part of the error message.
> >
> > One way to fix this is by using the new line character (\n) instead of
> > the new line tag in the error message. However, this doesn't work too
> > because the backslash is also being HTML escaped.
> > That brings me to suggest to use sanitize
> > <
> http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html>
>
> > after doing the HTML escape and by that replacing the new-line tag with
> > the new-line character in the error message.
> >
> > Unless you have a better idea, I can do this change and submit a PR.
>
> We've fixed a few similar instances, and I'd suggest simply changing it
> to use .to_sentence or .join(',') on the array rather than worrying
> about new lines.
>
> --
> Dominic Cleal
> Red Hat Engineering
>