If bip field does not support raw format prevent xss when passsing html tags

bernat / best_in_place

A RESTful unobtrusive jQuery Inplace-Editor and a helper as a Rails Gem

http://blog.bernatfarrero.com/in-place-editing-with-javascript-jquery-and-rails-3/

1.2k stars 571 forks source link

If bip field does not support raw format prevent xss when passsing html tags #506

Closed IgorDobryn closed 5 years ago

IgorDobryn commented 9 years ago

When it's not suppossed to display html tags it's turned out that there is XSS. You may reproduce this issue when editing field without raw data attribute and passing <script>alert('XSS')</script>.

Right now server always responds with escaped values. It unescapes values only if raw is enabled.

a-chumagin commented 9 years ago

jiwire commented 9 years ago

vkatz-ninthdecimal commented 9 years ago

vkurnavenkov commented 9 years ago

great, thanks @IgorDobryn :+1: