Closed mbrookes closed 11 years ago
Consider the attribute:
data: { confirm: "Are you sure? The page <strong>#{page.title}</strong> will be permanently deleted." }
For the page.title (which may be user input) of <script>alert('Boo!')</script> a javascript alert is raised.
page.title
<script>alert('Boo!')</script>
I don't think this gem should decide if it should be made html safe or not. If you want to use a safe version of page.title you could use $(page.title).text().
Consider the attribute:
For the
page.title
(which may be user input) of<script>alert('Boo!')</script>
a javascript alert is raised.