Need to upgrade required EJS for HTML-escaping? - Githubissues

codebrew / backbone-rails

Easily use backbone.js with rails 3.1

MIT License

1.62k stars 255 forks source link

Need to upgrade required EJS for HTML-escaping? #122

Closed dvgica closed 12 years ago

dvgica commented 12 years ago

I noticed that in the current version (0.7.2) there doesn't seem to be any protection from XSS by default.

This gem depends on ruby-ejs ~> 1.0.0 which does not support Underscore-style escaping, i.e. <%- %>. What is the normal approach to mitigate this deficiency?

One solution would be to upgrade the dependency to the latest version of ruby-ejs. EJS supports Underscore-style HTML-escaping since 1.1.0. See https://github.com/sstephenson/ruby-ejs/commit/e87d6602714fba13f90d01e900040afc71e957d7.

Thoughts?

dvgica commented 12 years ago

I opened a pull request for this: https://github.com/codebrew/backbone-rails/pull/123.