search

jellybob / activo-rails

Activo is a theme for Web-app-theme, Formtastic and Attrtastic. This is a Rails plugin to make it painfully easy to use.
http://dmfrancisco.github.com/activo/
MIT License
42 stars 8 forks source link

avoid modifying html_safe string in place #9

Closed gavinheavyside closed 13 years ago

gavinheavyside commented 13 years ago

Rails 3.0.8 contains a fix for an XSS vulnerability, and raises exceptions when in-place string modifications are performed on HTML safe strings.

See http://weblog.rubyonrails.org/2011/6/8/ann-rails-3-0-8-has-been-released and http://weblog.rubyonrails.org/2011/6/8/potential-xss-vulnerability-in-ruby-on-rails-applications

tobsch commented 13 years ago

Thanks a lot!

tobsch commented 13 years ago

I wonder why we need the html_safe on the class attribute anyway?