Browse files

closed XSS after the @

  • Loading branch information...
1 parent b2b27bc commit cffce8e60b7557e9945fc0e8b4383e5a66b1558f @bcherry bcherry committed Aug 23, 2010
Showing with 9 additions and 1 deletion.
  1. +1 −1 lib/regex.rb
  2. +8 −0 spec/autolinking_spec.rb
2 lib/regex.rb
@@ -60,7 +60,7 @@ class Regex
# Allow @ in a url, but only in the middle. Catch things like
REGEXEN[:valid_url_path_chars] = /(?:
- @[^\/]+\/|
+ @#{REGEXEN[:valid_general_url_path_chars]}+\/|
# Valid end-of-path chracters (so /foo. does not gobble the period).
8 spec/autolinking_spec.rb
@@ -474,6 +474,14 @@ def original_text; "I like dudes"; end
+ context "with a @ in a URL" do
+ def original_text; 'http://x.xx/@"style="color:pink"onmouseover=alert(1)//'; end
+ it "should not allow XSS follwing @" do
+ @autolinked_text.should have_autolinked_url('http://x.xx/')
+ end
+ end
describe "Autolink all" do

10 comments on commit cffce8e


This would have prevented today's XSS exploits on
Why haven't this commit been pulled ?


Ha indeed!


Easy to criticize when you're not in the trenches guys...


Even easier to criticise when you have been in similar trenches and it still looks bad. ;-)


when you have been in similar trenches and it still looks bad. ;-)

I've been in that exact situation of being able to criticize because I do know better, but people are a little eager to dogpile the 'big guy' like Twitter.


No one has to be criticized, this kind of things can happen. 100% bug-free is not possible. I'm just wondering why this hasn't been pulled by Twitter ?


Deployment processes and code-vetting are non-instantaneous.


The fix is in production now.


@romac: This was in fact patched last month. Read the Twitter blog:

We discovered and patched this issue last month. However, a recent site update (unrelated to new Twitter) unknowingly resurfaced it.

Please sign in to comment.