search

bootstrap-ruby / bootstrap_form

Official repository of the bootstrap_form gem, a Rails form builder that makes it super easy to create beautiful-looking forms using Bootstrap 5.
MIT License
1.64k stars 351 forks source link

Possible Unsafe String Interpolation #653

Open lcreid opened 1 year ago

lcreid commented 1 year ago

While refactoring for #642 , BootstrapFormGroupTest#test_append_and_prepend_button started outputting escaped strings instead of HTML. But the test hadn't changed. So the question is, did the code always allow unsafe strings to be passed in and be rendered without being checked for HTML-safeness?

donv commented 9 months ago

@lcreid Is there anything to do on this issue?

lcreid commented 9 months ago

I'd like to leave this open, but I don't think it's high priority to address, since what I observed is that HTML was getting escaped, which is safer than if we were allowing through HTML that might not be safe to render.