form_helper.label throws tainted

Question

form_helper.label throws tainted

Closed this issue 5 years ago · 2 comments

Hello ! first of all, thanks for writing this plugin :)

I just have one problem: when I do a <% form_for @object do |f| %>
and then an <%= f.label :some_method %> it throws an exception, even though from what I can see, the string should not be tainted, after all, it's just a label, and nothing should come out of the Database. is this normal ? how should I fix it ?

thanks !

Elias

Answer 1 · 2011-03-02T10:23:08.000Z

Ok, I just saw that everything that comes from I18n.t comes tainted. I'll just monkey-patch i18n.t to untaint strings.

thanks !

Answer 2 · 2011-03-06T21:01:03.000Z

Also consider using rails-xss from now on. This was a workaround to a lack of proper support in Rails 2.x. rails-xss is a backport of the Rails 3 support and is a more natural approach.