Open cantino opened 10 years ago
Eco's default __escape implementation doesn't escape single quotes, which makes XSS attacks like the following possible:
__escape
<input type='text' value='<%= @value %>'>
with a @value of x'onmouseover='alert(document.domain), an XSS occurs.
x'onmouseover='alert(document.domain)
This fork fixes the issue by using Underscore's escape.
Eco's default
__escapeimplementation doesn't escape single quotes, which makes XSS attacks like the following possible:with a @value of
x'onmouseover='alert(document.domain), an XSS occurs.This fork fixes the issue by using Underscore's escape.