25 May, 2010

Published at 12:26AM

Tagged with code, navigation, plugin, programming, rails, and xss

This post has 2 comments

Rails 2.3.7 and navigation plugin

On Monday Rails 2.3.6 came out. And then today Rails 2.3.7 came out. I upgraded a few apps today and realized the new XSS safe-by-default stuff broke my navigation plugin.

I considered updating the master branch with the fixes, but I’m going to hold off on that for now, since it will break in Rails 2.3.5 and below. Not everyone wants to upgrade to the latest 2.3.7 release just yet, but I can’t imagine why not :-)

Anyway, here are the (simple) fixes required to get the plugin working with Rails 2.3.7.

Plugin load order

First up, make sure you have the official rails_xss plugin installed. Then you need to tell Rails to load this plugin first, so that the navigation plugin can make use of the new XSS methods. Here’s how to do that. In environment.rb:

1
config.plugins = [ :rails_xss, :all ]

Load the rails_xss plugin, then everything else.

Making the output html_safe

init.rb—Tell ActionView::Base that the navigation helper is safe. Change this:

1
2
3
ActionView::Base.class_eval do
  include RPH::Navigation::Helpers
end

to this:

1
2
3
4
ActionView::Base.class_eval do
  include RPH::Navigation::Helpers
  self.safe_helper :navigation
end

navigator.rb—Ensure that the links are safe. At the end of the block (around line 81) do this:

1
2
3
links = menu.inject([]) do |items, (item, opts)|
  # ...
end.join("\n").html_safe

That’s about it. Now the plugin should behave as it always has.

Oh, there’s one more thing. If you will be passing HTML to the :text option in the menu configuration, you’ll need to ensure that the link text is safe as well.

navigator.rb—Change this line (around line 109):

1
[text, path, attrs]

to this:

1
[text.html_safe, path, attrs]

That should do it. Now if you have :text => "About & Tour" you’ll get the proper output. If you run into any other issues, let me know.

Potentially Related Posts...

Comments

Bharat Ruparel Sunday, 08 Aug, 2010 Posted at 07:18PM

Ryan, I posted a comment for you in your other column.

My site: http://www.github.com/bruparel/file_manager uses a modified version of your “old” navigation_helper plugin. I am having a hard time understanding how to sanitize it. If possible, I would like to stay with the old helper since it does exactly what I want it to. I tried following your post here and sanitize it, but the links still come out escaped. Can you please provide some guidance?

Thanks. Bharat

Ryan Monday, 09 Aug, 2010 Posted at 09:24AM

Bharat -

I think you want to modify this: lines 108-110 of navigator.rb

That’s where the link text gets output. Change it to:

1
2
3
def text_for(link)
  link.to_s.titleize.html_safe
end

And if you’re referring to the entire link, and not just the link text, try modifying line 70 of navigation.rb to be link.html_safe instead.

Let me know how it goes.

Do you have something to say about this post?
Retype the image to the right Spam Hint: Are You Human? Textile Formatting Tips

or

Ryan Heath | Site Management A Ruby on Rails production.

This site is a Formed Function. Formed Function LLC | @formedfunction | Get in Touch