You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've been testing Devise and noticed that the regexp for validating correct emails seems to be insecure. The current implementation in ~/config/initializers/devise.rb uses a regexp that checks for the beginning and end of a line using ^ and $ when I believe it should be using \A and \z so that harmful characters can not be used to concatenate an XSS attack. I only noticed this when I went over the Rails Guide at guides.rubyonrails.org entitled "Securing Rails Applications" (http://guides.rubyonrails.org/security.html).
The text was updated successfully, but these errors were encountered:
I've been testing Devise and noticed that the regexp for validating correct emails seems to be insecure. The current implementation in ~/config/initializers/devise.rb uses a regexp that checks for the beginning and end of a line using ^ and $ when I believe it should be using \A and \z so that harmful characters can not be used to concatenate an XSS attack. I only noticed this when I went over the Rails Guide at guides.rubyonrails.org entitled "Securing Rails Applications" (http://guides.rubyonrails.org/security.html).
The text was updated successfully, but these errors were encountered: