weppos
commented
10 years ago One more question. What is the token format? Is the token always expected to be composed only by digits? Or are there any other allowed characters?
Closed weppos closed 9 years ago
weppos
commented
10 years ago One more question. What is the token format? Is the token always expected to be composed only by digits? Or are there any other allowed characters?
danpal
commented
10 years ago We're looking into this, we'll sanitize this for you. Tokens are only digits.
dcu
commented
10 years ago @weppos I just released a new version, can you test it? thanks.
weppos
commented
10 years ago Wow, that was fast! I'll upgrade our app tomorrow morning and I'll give you a feedback.
jorilallo
commented
10 years ago Related to this, action_message gets messed up with the gem
danpal
commented
10 years ago @jorilallo what are you seeing in action_message? Can you post a stack trace.
jorilallo
commented
10 years ago Daniel: it is displayed escaped in the delivered text message
jorilallo
commented
10 years ago @danpal errr, I mean form encoded
dcu
commented
9 years ago Closing. this was already fixed.
We're using the client in a Rails project and from time to time the following error is raised.
The origin of the issue is that the library takes the
tokenparameter and uses it immediately without any further sanitization.You can reproduce the issue with the following example
We can indeed validate the user input, but I assume the library should not trust a parameter, especially if this parameter is used to generate an URL path like in this case.
You may want to sanitize or validate every input that is part of an URL.