Open ari opened 7 years ago
We can use http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize to aviod this issue. But it can hide some parts of bodies for existing snippets, for example
Isn't this the same problem we have in task comments? Why aren't we getting an error there?
At any rate, I'd like to move to markdown for comment text (with some extensions of our own like #1234 task links). I guess we'll need to think about incoming text from emails too, but hopefully markdown will cope with that.
Security issue from Hakiri: Unescaped model attribute in app/views/snippets/show.html.erb