Closed panmari closed 8 years ago
:+1:
The maintainers of this project need to stop flip-flopping on this issue. This was fixed on March 24, 2014 (commit), and applied to the Bootstrap 3 branch on April 1, 2014 (commit). On Dec 12, 2014 (commit), someone else came along and just re-added html_safe
(seemingly oblivious to the fact that it was removed for a reason), and it went right back in without anybody questioning it.
At this point I'm now considering dropping this gem from the app I work on, but for the sake of people who still use it, this fix needs to go back in.
@symmetriq In case you need an alternative, you might want to look at http://fullscreen.github.io/bh
Maybe now that I've added tests that mention the xss issue there, people will be more hesitant to revert the change...
On Sat, Aug 8, 2015, 09:10 Claudio B. notifications@github.com wrote:
@symmetriq https://github.com/symmetriq In case you need an alternative, you might want to look at http://fullscreen.github.io/bh
— Reply to this email directly or view it on GitHub https://github.com/seyhunak/twitter-bootstrap-rails/pull/868#issuecomment-128925777 .
This could be misused as attack vector for xss attacks. Added two tests for checking the behavior in both cases: if user escapes message or not.
See also #856