petejkim
commented
11 years ago Sorry.. This was created for an internal project, and hasn't been maintained since. I'd recommend looking for other libraries... I should probably state this in the README
Open hkmaly opened 11 years ago
petejkim
commented
11 years ago Sorry.. This was created for an internal project, and hasn't been maintained since. I'd recommend looking for other libraries... I should probably state this in the README
hkmaly
commented
11 years ago ... you mean like https://github.com/veger/ruby-bbcode/issues/10 ? I understand that you may not want to be fixing this, but then you should really warn everyone that this library is dangerous. You may also link this blog post: http://blog.kotowicz.net/2010/09/bbcode-wont-protect-you-from-xss.html
Code like
RuBB.to_html('[url=http://www.google.com" onclick=javascript:alert(window.location) rel=nofollow]google[/url]')
produces HTML with executable javascript code. While slashing all quotes would make harder to produce working exploit, I believe that escaping them to " as cpjolicoeur/bb-ruby does would be safer.
(Note that I'm not sure what phpbb itself is using ..)