Open hkmaly opened 11 years ago
Sorry.. This was created for an internal project, and hasn't been maintained since. I'd recommend looking for other libraries... I should probably state this in the README
... you mean like https://github.com/veger/ruby-bbcode/issues/10 ? I understand that you may not want to be fixing this, but then you should really warn everyone that this library is dangerous. You may also link this blog post: http://blog.kotowicz.net/2010/09/bbcode-wont-protect-you-from-xss.html
Code like
RuBB.to_html('[url=http://www.google.com" onclick=javascript:alert(window.location) rel=nofollow]google[/url]')
produces HTML with executable javascript code. While slashing all quotes would make harder to produce working exploit, I believe that escaping them to " as cpjolicoeur/bb-ruby does would be safer.
(Note that I'm not sure what phpbb itself is using ..)