panmari
commented
8 years ago As argued in the talk, I think escaping should happen at the user level if desired. I created a pull request reverting this change and added two tests.
Open claudiob opened 9 years ago
panmari
commented
8 years ago As argued in the talk, I think escaping should happen at the user level if desired. I created a pull request reverting this change and added two tests.
forced-request
commented
8 years ago @seyhunak This is quite concerning because this vulnerability was addressed in 2014.
Read about it in this blog post: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/
Relevant commit: https://github.com/seyhunak/twitter-bootstrap-rails/commit/663760e67b80ee25adc293bf5f03debae28b5af9
Looks like https://github.com/seyhunak/twitter-bootstrap-rails/commit/23c2050c5fd0c0aff26484673703c4455993550a is taken as example in a RailsConf talk about what not to do in a gem to avoid cross-site scripting. Take a look at https://youtu.be/dof0EspDPlU?t=24m4s – what do you think?