Skip to content

Commit

Permalink
Fix an XSS attack on the board
Browse files Browse the repository at this point in the history
  • Loading branch information
Bruno Michel committed Apr 28, 2011
1 parent e1cd800 commit e03e2da
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion app/models/board.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -79,13 +79,14 @@ def rendered

include ActionView::Helpers::TagHelper
include ActionView::Helpers::TextHelper
include ActionView::Helpers::SanitizeHelper

def sanitize_message
doc = Nokogiri::HTML::Document.new
doc.encoding = "utf-8"
node = Nokogiri::HTML::DocumentFragment.new(doc)
inner_sanitize(node, @message[0, 500])
@message = auto_link(node.to_s, :urls) { "[url]" }.html_safe
@message = sanitize(auto_link(node.to_s, :urls) { "[url]" })
end

def inner_sanitize(parent, str)
Expand Down

0 comments on commit e03e2da

Please sign in to comment.