From: justin@...
Date: 2018-11-12T15:59:11+00:00
Subject: [ruby-core:89776] [Ruby trunk Misc#15294] Add warnings for invalid	ERB trim modes

Issue #15294 has been updated by jsc (Justin Collins).


Thank you!

----------------------------------------
Misc #15294: Add warnings for invalid ERB trim modes
https://bugs.ruby-lang.org/issues/15294#change-74840

* Author: jsc (Justin Collins)
* Status: Closed
* Priority: Normal
* Assignee: k0kubun (Takashi Kokubun)
----------------------------------------
Currently, the ERB library will accept any value for the "trim mode". If the trim mode is any string containing `%`, `-`, `>`, `<>` or an integer 0-2, the appropriate trim mode will be set. If not, no exception or warning is raised.

I had a bug in Brakeman for 1.5 years because I was passing the wrong value as the trim mode. Since the value *coincidentally* contained `-` on my test machine, I didn't notice until yesterday.

The attached patch proposes reporting a warning if an invalid trim mode is provided. It does allow a couple invalid modes (you could provide duplicate or conflicting values, like `%%` or `<>>`), but I think this is still an improvement over accepting any value at all.

If there is interest, I could spend some time to make it even more strict.

I set the `uplevel` to `5`, which is right if a user is calling `ERB.new` (most common case?). I don't know if that is the correct approach.

In the future, perhaps this should be an exception instead of a warning.

---Files--------------------------------
erb_trim_mode_warning.patch (1.41 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>