Cross-Site Scripting Warning in app/views/snippets/show.html.erb

[ari]

Security issue from Hakiri: Unescaped model attribute in app/views/snippets/show.html.erb

[k41n]

We can use http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize to aviod this issue. But it can hide some parts of bodies for existing snippets, for example or [some URL] on snippet view page. We can customize it, but need to define white list for tags. @ari

[ari]

Isn't this the same problem we have in task comments? Why aren't we getting an error there?

At any rate, I'd like to move to markdown for comment text (with some extensions of our own like #1234 task links). I guess we'll need to think about incoming text from emails too, but hopefully markdown will cope with that.