brianmario / escape_utils Goto Github PK

I've found a similar ticket reported here, but it was closed without a fix so I'm re-raising the issue. (Rails 3.0.7 + Ruby 1.9.2)

#14

In my case, not only '/' was escaped but other characters like single quotes got escaped too. So EscapeUtils.html_secure = false only fixed the url part of the problem.

Namely, with require 'escape_utils/html/erb':

Here's the link: http://www.example.com/

With require 'escape_utils/html/erb' and EscapeUtils.html_secure = false:

Here's the link: http://www.example.com/

By removing require 'escape_utils/html/erb', finally I got the correct result:

Here's the link: http://www.example.com/

Note that HTML tags like '<' or '>' aren't escaped in email templates with .text.erb extension, so it's not a Rails bug.

I've tried installing escape_utils on ubuntu 12.04.3 but every time I do I get the error "escape_utils requires Ruby version > 1.9.3." I have tried installing it with version 1.9.3 and version 2.0.0 and both have brought up this message. Any ideas on what might be causing this? Both versions of ruby where installed through the ruby version manager if that makes any difference.

thanks,
Adam

EscapeUtils 0.2.4 seems to have introduced a bug in regard to unescaping form submission.

This can easily be seen when having as simple a form as this in a stock rails app:

<%= form_for :test, :url => '/test/create' do |f| %>
  <%= f.text_field :test, :type => :tel %>
<% end %>

When I enter +++Test+++ into the field and submit the form I get the data I expect in the params has, +++Test+++

Adding escape_utils 0.2.4 to the Gemfile and putting

require 'escape_utils/url/rack'

into an initializer leads to the form data being decoded as Test (the leading and trailing space does not show here!), the plus gets decoded to a blank - not exactly what I expect to happen in an input field with form data.

This problem doesn't occur with 0.2.3 - I suspect it has something to do with the move to 'houdini'

Can you please document what has changed?

I see a list of issues here that I'd like to resolve but the code isn't documented enough for me to contribute anything since it's not easy to understand the calculations your doing.

All rake calls now print this message:

rake-compiler must be configured first to enable cross-compilation
rake-compiler must be configured first to enable cross-compilation

Everything works as expected after the message. I am C programmer and what is this.

On a Mac Intel Core I9 machine, I can install the gem without issue using bundler or gem install escape_utils

However, when I attempt to boot the application, I get the following error during bootsnap loading of dependencies:

05:43 $ bundle exec rails c
Traceback (most recent call last):
	28: from bin/rails:4:in `<main>'
	27: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	26: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	25: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/commands.rb:18:in `<main>'
	24: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/command.rb:46:in `invoke'
	23: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/command/base.rb:69:in `perform'
	22: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/thor-1.2.1/lib/thor.rb:392:in `dispatch'
	21: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/thor-1.2.1/lib/thor/invocation.rb:127:in `invoke_command'
	20: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/thor-1.2.1/lib/thor/command.rb:27:in `run'
	19: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/commands/console/console_command.rb:101:in `perform'
	18: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/command/actions.rb:14:in `require_application_and_environment!'
	17: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/railties-6.0.6/lib/rails/command/actions.rb:22:in `require_application!'
	16: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	15: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	14: from /Users/nfg-projects/Givecorps-site/config/application.rb:7:in `<main>'
	13: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler.rb:186:in `require'
	12: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler/runtime.rb:44:in `require'
	11: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler/runtime.rb:44:in `each'
	10: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler/runtime.rb:55:in `block in require'
	 9: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler/runtime.rb:55:in `each'
	 8: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/bundler-2.3.26/lib/bundler/runtime.rb:60:in `block (2 levels) in require'
	 7: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	 6: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:32:in `require'
	 5: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/escape_utils-0.2.4/lib/escape_utils.rb:1:in `<main>'
	 4: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/activesupport-6.0.6/lib/active_support/dependencies.rb:324:in `require'
	 3: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/activesupport-6.0.6/lib/active_support/dependencies.rb:291:in `load_dependency'
	 2: from /Users/darwin/.rbenv/versions/2.7.5/lib/ruby/gems/2.7.0/gems/activesupport-6.0.6/lib/active_support/dependencies.rb:324:in `block in require'
	 1: from /Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:17:in `require'
/Users/darwin/.rbenv/versions/2.7.5/gemsets/evo/gems/bootsnap-1.13.0/lib/bootsnap/load_path_cache/core_ext/kernel_require.rb:17:in `require': cannot load such file -- escape_utils/escape_utils (LoadError)

On my M1 machine, I have never encountered this issue.

I've installing the gem with the verbose setting, but I am not seeing anything there either. I see that there is no escape_utils/escape_utils.rb file in the gem, though there is an escape_utils.bundle file.

Any advice, or suggestions would be greatly appreciated.

...
Installing daemons (1.1.9)
Installing dotenv (0.9.0)
Installing erubis (2.7.0)
Installing escape_utils (0.3.2)
Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.
/home/clivecrous/.rvm/rubies/ruby-1.9.2-p320/bin/ruby extconf.rb
/home/clivecrous/.rvm/rubies/ruby-1.9.2-p320/bin/ruby: invalid switch in RUBYOPT: -S (RuntimeError)

We're using Rails 3.2.12. In our application we have ajax pagination of a view.

index.js.haml

$('#activity_stream').html("#{escape_javascript render("activities/activity_stream", :stream => @activity_stream)}");

The default ajax response when not using escape_utils is something like this:

$('#activity_stream').html("<ul class=\'streams\'>\n  <li id=\'s ...

When using escape_utils javascript action_view monkeypatch, the ajax response looks something like this:

$('#activity_stream').html("<ul class=\'streams\'>\n  <li id=\'s ...

Instead of rendering HTML, now it's rendering an HTML-escaped string. The monkeypatch doesn't seem to be working. Shouldn't it be a drop-in replacement for the original escape_javascript?

Just thought you might like to know the Open Web Application Security Project (OWASP) recommends escaping slash as well as the standard 5 characters you're escaping. If you read their xss prevention cheat sheet they actually recommend gt, lt, amp, quot, apos, slash and all characters with ASCII values less than 256.

I opened an issue with rack regarding the slash but neglected to mention the ASCII character thing because it could be slow. I thought you might be interested because the performance hit shouldn't be so bad in absolute terms given that you're in C. Here is a link to the rack issue:
http://github.com/rack/rack/issues#issue/27

Cheers!

A simple example is trying to escape the group separator character:

require 'rubygems'
require 'escape_utils'
puts EscapeUtils.escape_html("\x1d", false).inspect
# => "\035"

If this literal character appears in XML, then it will show the following error in Chrome:
PCDATA invalid Char value 29

Active support to_xml will convert this character to an asterisk, which prevents this problem. So this bug prevents it from being used to escape arbitrary XML data while making sure the output is always valid.

If I require the monkey patches in an initializer in a rails 3 app then urls in plain text emails get escaped automatically like this:

http://www.example.com/

without the monkey patches the same url looks like this:

http://www.example.com/

I'm using ERb templates with extension .text.erb. I can work around the issue by calling html_safe on the url, but I guess the behavior with the monkey patches is supposed to be the same as without them.

Hello,

I tried gem escape_utils but it is not working as intended. I have also done following configuration changes in intializers.

require 'escape_utils/html/rack' # to patch Rack::Utils
require 'escape_utils/html/erb' # to patch ERB::Util
require 'escape_utils/html/cgi' # to patch CGI
require 'escape_utils/html/haml' # to patch Haml::Helpers
require 'escape_utils/url/cgi' # to patch CGI
require 'escape_utils/url/erb' # to patch ERB::Util
require 'escape_utils/url/rack' # to patch Rack::Utils
require 'escape_utils/url/uri' # to patch URI
require 'escape_utils/javascript/action_view' # to patch ActionView::Helpers::JavaScriptHelper

It is not escaping asset_path or links in html.e.g

Below is the code that is generating above html.

Anyone can help to resolve this. I am using Rails 3.2.19 and Ruby ruby 2.1.2p95. One solution is to unescape ourself which can't be done on many places.

Regards,
Junaid

After inserting require 'escape_utils/url/uri' in application.rb, sign in with Twitter became dead (with "401 Unauthorized"), removing this line solved the problem.

Detected some problem to activate this monkey-patch

require 'escape_utils/url/rack'

If i will send some encrypted data in ajax request (RSA-encoded string, for example), it will be looks like this in firebug:

Form data:

my-encoded-data:EgI7GWwpw7aDa4J9JSI7sZX4cdPikciVGcdNxlUqfUFlrdOVrvJaJlrlst1D
ZT/ynMUqnYPuJiUGNDRmH0MOqrAwwH/Xd6K8QhyOeEPV0fh2VA6Bi3fKCNSt
4A3N/70s7F1RJM9ynNl0uM3FUcAt+LyTf3RH10Fz2Sq/MI3srg0=

And this patch will unescape this string and replace '+' into space. And obviously, for RSA-encryption it's critical bug ...

Hi
following problem:
I'm implementing this uri-template spec. I could realy use a version of escape_url without the "+" for whitespace, since this behavior is defined in the spec. Rereplacing the pluses afterward with "%20" is not a good option as this more than doubles the runtime, which is too expensive imho.

If i write a method escape_url2 with this behavior, would you pull it?

I'm using escape_utils with haml and i'm getting some weird output when i use
= stylesheet_link_tag "generated/page"
the output is
link href="/stylesheets/generated/page.css?1285816823" media="screen" rel="stylesheet" type="text/css" /
when it should be
link href="/stylesheets/generated/page.css?1285816823" media="screen" rel="stylesheet" type="text/css" /

it's escaping the slashes, is that correct?
the stylesheets load normally, but i think it shouldn't be escaped.

it's also happening on
javascript_inclue_tag:
script src="/javascripts/jquery.js?1266118505" type="text/javascript" /script
and image_tag

both in development and production.
using escape_utils 0.1.6 and haml 3.0.21 on rails3 (both with mongrel and passenger)
ruby 1.8.7 and ruby 1.9.2

Rails3 and Rails2.3.x do not escape safe objects

Fixed in yury/escape_utils@db3753f

The OAuth library uses CGI::escape to encode request headers. CGI::escape will escape = (equal sign), but EscapeUtils.escape_uri does not. As a result, OAuth produces mal-formed headers.

Look at the difference:

>> EscapeUtils.escape_uri 'a/ +b'
=> "a/%20+b"
>> EscapeUtils.escape_url 'a/ +b'
=> "a%2F+%2Bb"

IMO both are wrong. Also, the similarity in the two method names is ridiculous. This is what I'd like to see:

>> EscapeUtils.escape_full_uri 'a/ +b'
=> "a/%20%2Bb"
>> EscapeUtils.escape_uri_path 'a/ +b'
=> "a%2F%20%2Bb"

This is closer to how javascript works:

> encodeURI('a/ +b')
'a/%20+b'
> encodeURIComponent('a/ +b')
'a%2F%20%2Bb'

I like to escape + to be safe, because it's not entirely clear if you mean a + or a space. If you agree, I'll happily hack it up and send you a pull. If not, I'll do it anyway and force my fork in GitHub :) :)

It would be nice if it were documented in the README that escape_url is CGI escaping and escape_uri is RFC compliant escaping.

in version 0.3.0, it can't install to windows,

this's cmd infomation

Installing escape_utils (0.3.0) with native extensions
Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

        d:/Ruby193/bin/ruby.exe extconf.rb
creating Makefile

make
generating escape_utils-i386-mingw32.def
compiling buffer.c
buffer.c: In function 'gh_buf_cmp':
buffer.c:245:2: warning: implicit declaration of function 'MIN'
compiling escape_utils.c
compiling houdini_href_e.c
compiling houdini_html_e.c
compiling houdini_html_u.c
compiling houdini_js_e.c
compiling houdini_js_u.c
compiling houdini_uri_e.c
compiling houdini_uri_u.c
compiling houdini_xml_e.c
linking shared-object escape_utils/escape_utils.so
buffer.o: In function `gh_buf_cmp':
d:\Ruby193\lib\ruby\gems\1.9.1\gems\escape_utils-0.3.0\ext\escape_utils/buffer.c:245: undefined reference to `MIN'
collect2: ld returned 1 exit status
make: *** [escape_utils.so] Error 1


Gem files will remain installed in d:/Ruby193/lib/ruby/gems/1.9.1/gems/escape_utils-0.3.0 for inspection.
Results logged to d:/Ruby193/lib/ruby/gems/1.9.1/gems/escape_utils-0.3.0/ext/escape_utils/gem_make.out
An error occurred while installing escape_utils (0.3.0), and Bundler cannot continue.
Make sure that `gem install escape_utils -v '0.3.0'` succeeds before bundling.

My ruby version is ruby 1.9.3p327, and Development Kit version is DevKit-tdm-32-4.5.2-20111229-1559-sfx

Not sure how to resolve this since I don't know which Rack version is the latest version known to work on each Ruby version.

I've attempted to compile escape_utils 0.3.2 against MRI 2.1.0-dev as of May 22, and get the following compilation error:

Gem::Installer::ExtensionBuildError: ERROR: Failed to build gem native extension.

    /usr/local/rbenv/versions/2.1.0-dev/bin/ruby extconf.rb 
creating Makefile

make
compiling escape_utils.c
escape_utils.c: In function ‘rb_eu_escape_html_as_html_safe’:
escape_utils.c:126:2: error: assignment of read-only member ‘klass’
make: *** [escape_utils.o] Error 1

I think I found the commit to Ruby trunk that disallowed changing klass: ruby/ruby@4f40181#L0R28

Not entirely sure what needs to be done instead... I think maybe @tmm1 's code from 5d451a6 just needs to be the only option here. IE:

result = rb_funcall(rb_html_string_class, ID_new, 1, result);

is the way used to build the safe string, regardless of RBASIC. I assume this hasn't already been done because it has a performance hit?

Trying to unescape an escaped plus-sign (%2B) leads to the expected plus-sign being unescaped as a space character instead.

Example:

q = "plus+plus"
escaped = EscapeUtils.escape_url(q)
EscapeUtils.unescape_url(escaped) == q
=> false

EscapeUtils.unescape_url(escaped)
=> "plus plus"

This causes the Rack::Utils monkey-patch to convert plus-signs entered in eg. forms into spaces, as mentioned in #22, and is incompatible with the default escape and unescape methods from Rack::Utils:

url = "http://site.com/?q=plus+plus"
Rack::Utils.escape(url) == EscapeUtils.escape_url(url)
=> true

escaped_url = Rack::Utils.escape(url)
Rack::Utils.unescape(escaped_url) == EscapeUtils.unescape_url(escaped_url)
=> false

Rack::Utils.unescape(escaped_url) == url
=> true # http://site.com/?q=plus+plus

EscapeUtils.unescape_url(escaped_url) == url
=> false # http://site.com/?q=plus plus

The culprit is at: https://github.com/brianmario/escape_utils/blob/master/ext/escape_utils/houdini_uri_u.c#L47 where + is replaced with space after the escaped character substitution.

Hamlit is a faster implementation for Haml. We've been using it in a couple of projects and would love to see escape_utils compatible. Is it already? How can I help otherwise?

Hello,
I have been trying to install escape_utils -v '0.3.2' and I get the following error:

$ gem install escape_utils -v '0.3.2'
Building native extensions. This could take a while...
ERROR: Error installing escape_utils:
ERROR: Failed to build gem native extension.

/Users//.rvm/rubies/ruby-2.1.0/bin/ruby extconf.rb
creating Makefile

make "DESTDIR=" clean

make "DESTDIR="
compiling buffer.c
compiling escape_utils.c
escape_utils.c:126:24: error: read-only variable is not assignable
RBASIC(result)->klass = rb_html_safe_string_class;

1 error generated.
make: *** [escape_utils.o] Error 1

make failed, exit code 2

Gem files will remain installed in /Users//.rvm/gems/ruby-2.1.0/gems/escape_utils-0.3.2 for inspection.
Results logged to /Users//.rvm/gems/ruby-2.1.0/extensions/x86_64-darwin-12/2.1.0-static/escape_utils-0.3.2/gem_make.out

My ruby version is the following:
$ ruby -v
ruby 2.1.0p0 (2013-12-25 revision 44422) [x86_64-darwin12.0]

I am also able to do gem install escape_utils and work with version 1.0.0 without any problems.

Any help would be appreciated.

Cheers!

I'd like to be able to safely use this library without taking encoding into consideration.
What would it take for us to support arbitrary encodings?

OK:

it "should use Encoding.default_internal" do
  Encoding.default_internal = Encoding.find('utf-8')
  EscapeUtils.unescape_url("http%3A%2F%2Fwww.homerun.com%2F".force_encoding("US-ASCII")).encoding.should eql(Encoding.default_internal)
end

NG:

it "should use Encoding.default_internal" do
  Encoding.default_internal = Encoding.find('utf-8')
  EscapeUtils.unescape_url("%E2%9C%93".force_encoding("US-ASCII")).encoding.should eql(Encoding.default_internal)
end

Do you follow semantic versioning defined at semver.org? If yes, can you mention it in README. If not, can you consider it?

see steveklabnik/request_store#43

Similar to #78

If the README is to be believed, historically EscapeUtils.escape_url was about 40 times faster than GCI.escape:

CGI.escape
 0.440000   0.000000   0.440000 (  0.443017)
EscapeUtils.escape_url
 0.010000   0.000000   0.010000 (  0.010843)

But running the benchmark on a modern Ruby,the difference is now only 68%:

EscapeUtils.escape_url:  3311825.2 i/s
          CGI.escape:  1969841.8 i/s - 1.68x  (± 0.00) slower

Which isn't bad, but is it good enough to justify a gem and some monkey patches?

On the unescape side of things the difference is even smaller:

EscapeUtils.unescape_url:  2941962.7 i/s
        CGI.unescape:  2232433.7 i/s - 1.32x  (± 0.00) slower

So I'm tempted to deprecate and to redirect people to GCI.escape / unescape

@jhawthorn what do you think?

I have an error installing version 1.1.0:

Building native extensions.  This could take a while...
ERROR:  Error installing escape_utils:
        ERROR: Failed to build gem native extension.

    C:/root/Ruby/19E105~1.3/bin/ruby.exe extconf.rb
creating Makefile

make  clean

make
generating escape_utils-i386-mingw32.def
compiling buffer.c
buffer.c: In function 'gh_buf_cmp':
buffer.c:245:2: warning: implicit declaration of function 'MIN'
buffer.c: In function 'gh_buf_init':
buffer.c:36:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_try_grow':
buffer.c:82:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_free':
buffer.c:92:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_clear':
buffer.c:99:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_set':
buffer.c:114:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_sets':
buffer.c:119:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_putc':
buffer.c:127:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_put':
buffer.c:136:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_puts':
buffer.c:142:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_vprintf':
buffer.c:176:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_printf':
buffer.c:188:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_copy_cstr':
buffer.c:206:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_swap':
buffer.c:213:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_detach':
buffer.c:225:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_attach':
buffer.c:241:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: In function 'gh_buf_cmp':
buffer.c:248:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c: At top level:
buffer.c:248:1: warning: visibility attribute not supported in this configuration; ignored
buffer.c:248:1: warning: visibility attribute not supported in this configuration; ignored
compiling escape_utils.c
compiling houdini_href_e.c
houdini_href_e.c: In function 'houdini_escape_href':
houdini_href_e.c:115:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_html_e.c
houdini_html_e.c: In function 'houdini_escape_html0':
houdini_html_e.c:83:1: warning: visibility attribute not supported in this configuration; ignored
houdini_html_e.c: In function 'houdini_escape_html':
houdini_html_e.c:89:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_html_u.c
In file included from houdini_html_u.c:6:0:
html_unescape.gperf: In function 'find_entity':
html_unescape.gperf:174:1: warning: visibility attribute not supported in this configuration; ignored
houdini_html_u.c: In function 'houdini_unescape_html':
houdini_html_u.c:121:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_js_e.c
houdini_js_e.c: In function 'houdini_escape_js':
houdini_js_e.c:89:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_js_u.c
houdini_js_u.c: In function 'houdini_unescape_js':
houdini_js_u.c:59:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_uri_e.c
houdini_uri_e.c: In function 'houdini_escape_uri':
houdini_uri_e.c:94:1: warning: visibility attribute not supported in this configuration; ignored
houdini_uri_e.c: In function 'houdini_escape_uri_component':
houdini_uri_e.c:100:1: warning: visibility attribute not supported in this configuration; ignored
houdini_uri_e.c: In function 'houdini_escape_url':
houdini_uri_e.c:106:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_uri_u.c
houdini_uri_u.c: In function 'houdini_unescape_uri':
houdini_uri_u.c:55:1: warning: visibility attribute not supported in this configuration; ignored
houdini_uri_u.c: In function 'houdini_unescape_uri_component':
houdini_uri_u.c:61:1: warning: visibility attribute not supported in this configuration; ignored
houdini_uri_u.c: In function 'houdini_unescape_url':
houdini_uri_u.c:67:1: warning: visibility attribute not supported in this configuration; ignored
compiling houdini_xml_e.c
houdini_xml_e.c: In function 'houdini_escape_xml':
houdini_xml_e.c:136:1: warning: visibility attribute not supported in this configuration; ignored
linking shared-object escape_utils/escape_utils.so
buffer.o: In function `gh_buf_cmp':
C:\root\Ruby\19E105~1.3\lib\ruby\gems\1.9.1\gems\escape_utils-1.1.0\ext\escape_utils/buffer.c:245: undefined reference to `MIN'
collect2: ld returned 1 exit status
make: *** [escape_utils.so] Error 1

make failed, exit code 2

There is no problem with previous versions, e.g. 1.0.0.

• Ruby ruby 1.9.3p484 (2013-11-22) [i386-mingw32]
• RubyGems 2.3.0
• Windows 7 x64

I've spent the last several hours tracking down a bug in one of my applications. It was causing extremely erratic behavior, mostly problems in production with people being signed out or redirected improperly. On the development side I encountered these errors but couldn't get a test case. What I did find was that my integration tests were failing randomly. Randomly as in each run a different set of tests would fail at different assertions. I figured it had to be a recent change but I started by out a bunch of libraries that are unessential, like escape_utils. Imagine my surprise when the problem was fixed adding gems back in 1 by 1 escape_utils seemed to cause the problem. Going through the monkey patches I found the url/rack patch was the problem. I suspect this is due to the changes in how rack handles escape and unescape and some other change that was added recently, within the last month:

https://github.com/rack/rack/blob/master/lib/rack/utils.rb

Probably the url/rack monkeypatch is not compatible with newer versions of rack. I thought you should know.

The error:

Building native extensions.  This could take a while...
ERROR:  Error installing escape_utils:
    ERROR: Failed to build gem native extension.

/Users/dave/.rvm/rubies/jruby-1.5.1/bin/jruby extconf.rb
WARNING: JRuby does not support native extensions or the `mkmf' library.
         Check http://kenai.com/projects/jruby/pages/Home for alternatives.
extconf.rb:5: undefined method `<<' for nil:NilClass (NoMethodError)

The erb monkey patch should convert its argument to a string so that it doesn't unexpectedly try to escape, for example, a Fixnum. An example of this in practice would be a Rails form generated using form helpers like so, with id being a Fixnum:

<% form_for ... %>
  <%= f.hidden_field :id %>
<% end %>

A simple change would fix this:

class ERB
  module Util
    def html_escape(s)
      EscapeUtils.escape_html(s.to_s)
    end
  end
end

Thanks!