Plugin is vulnerable to xss

afeld / jeditable-rails

a gem to add in-place-editable fields to your Rails project

MIT License

34 stars 18 forks source link

Plugin is vulnerable to xss #12

Open AKoetsier opened 13 years ago

AKoetsier commented 13 years ago

The value from the object is marked as html_safe. I think it should be escaped by default and make the plugin output raw values when this is selected in the options.

soyuka commented 12 years ago

+1 Even with callback or data or loadUrl, I still get a flash from html and Githubissues.

Githubissues is a development platform for aggregating issues.