kellyhutchins
commented
9 years ago @driskull @MikeTschudi do you see any issues with adding this logic to the boilerplate?
Closed kellyhutchins closed 9 years ago
kellyhutchins
commented
9 years ago @driskull @MikeTschudi do you see any issues with adding this logic to the boilerplate?
driskull
commented
9 years ago where are html tags getting into the param?
driskull
commented
9 years ago seems like if there's a specific param getting HTML tags in it and they need to be removed, it should be done on the app side. html tags shouldnt' ever be in the param unless they are url encoded anyway
kellyhutchins
commented
9 years ago This issue is more about preventing users from doing malicious things with the url params. Its come up a few times related to various templates because the fact that we don't strip html tags from the url params raises a red flag with some organizations security checks. To prevent someone from doing something like this:
driskull
commented
9 years ago That makes sense. Should we just do this in the API urlObject?
pspraveenkr
commented
9 years ago Should we just do this in the API urlObject?
Yes - can one of you do a PR and have it reviewed by @ycabon ?
cc @dasa
kellyhutchins
commented
9 years ago Thanks @driskull I'm going to close this pull request.
MikeTschudi
commented
9 years ago @kellyhutchins @driskull An excellent modification--thanks
Strip html tags from url parameters for issue #35