Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
In Ruby, `^` and `$` match the line beginning and line end. So, an email coming in via HTTP like this: user@example.com%0A<script>alert('hello')</script> Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to: user@example.com\n<script>alert('hello')</script> and unintentionally passes validation because the regular expression matched the email: up to the line end, the rest does not matter. http://guides.rubyonrails.org/security.html#regular-expressions
- Loading branch information