Skip to content

Commit

Permalink
Adding Haml html escaping.
Browse files Browse the repository at this point in the history 
Haml's HTML escaping option was not on, leaving the site open for xss
attacks. This would seem to fix it.
  • Loading branch information
@steveklabnik
steveklabnik authored and Maxwell Salzberg committed Sep 16, 2010
1 parent dea0912 commit 22edec5
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions config/environment.rb
View file
Expand Up @@ -7,6 +7,7 @@
# Load the rails application # Load the rails application
require File.expand_path('../application', __FILE__) require File.expand_path('../application', __FILE__)
Haml::Template.options[:format] = :html5 Haml::Template.options[:format] = :html5
Haml::Template.options[:escape_html] = true
# Initialize the rails application # Initialize the rails application
Diaspora::Application.initialize! Diaspora::Application.initialize!


Expand Down

1 comment on commit 22edec5

@jamiew
Copy link
Contributor

@jamiew jamiew commented on 22edec5 Sep 16, 2010

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I was under the impression rails_xss applied 100% to haml as well in Rails3

Please sign in to comment.