Resolve possibility for XSS

Shopify / tree_stand

A high-level Ruby wrapper for tree-sitter bindings.

https://rubygems.org/gems/tree_stand

MIT License

11 stars 3 forks source link

Resolve possibility for XSS #31

Closed RedYetiDev closed 7 months ago

RedYetiDev commented 8 months ago

This PR fixes the XSS vulnerability in YARD 0.9.34, by using code from a later version of yard.

RedYetiDev commented 8 months ago

I have signed the CLA!

RedYetiDev commented 7 months ago

Hey, any update on this?

DerekStride commented 7 months ago

I have a couple of concerns:

That html file is generated by running bundle exec yard so modifying it a PR will get undone on the next deploy. This should be fixed by updating YARD on the main branch instead.
This project has been merged upstream in ruby_tree_sitter (see https://github.com/Shopify/tree_stand/pull/32) and may suffer from this same issue. That's a better place to apply the fix.

RedYetiDev commented 7 months ago

If this to be deprecated, then this pull really won't help with anything, so your right, and I'll check out the upstream. Thank you for your help. If you want to resolve the issue down here, just update yard to 0.9.36 or higher.