search

ryanjohns / passmaster

Host-Proof password storage using client-side AES-256 encryption.
https://passmaster.io
GNU General Public License v3.0
10 stars 4 forks source link

html-escape passwords in accounts_viewer (backups) #6

Closed etipton closed 9 years ago

etipton commented 9 years ago

To recreate the issue, try using password "abc123<I456" (the "<I" part gets treated as an <i> tag without escaping it).

Note: One hangup I ran into when testing was that the ACCOUNTS_VIEWER (the file object) gets set in an initializer, so unicorn needs to be restarted after changes are made to accounts_viewer.html

ryanjohns commented 9 years ago

Thanks for this. The solution looks good but there is a different process for updating this file. There is a template in app/view/application/ called accounts_viewer.html.haml which I use to create the public/accounts_viewer.html file. So the file in the public directory shouldn't be modified directly. Once you modify the haml template you can convert to html with the following command run from the app root.

haml app/views/application/accounts_viewer.html.haml public/accounts_viewer.html

Also, I'm fine just inlining this functionality directly in the loop within showAccount() instead of adding another function. If you do add another function, please add it to the <head> because that's where my code is and the library code is at the bottom of the page.

etipton commented 9 years ago

All sounds good. Will do

etipton commented 9 years ago

@ryanjohns totally new commit for you now

ryanjohns commented 9 years ago

Awesome, thanks!

ryanjohns commented 9 years ago

Deployed to production.

etipton commented 9 years ago

Tested my particular use-case in prod -- works great