Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ability to escape validation messages #329

Merged
merged 3 commits into from
Mar 15, 2020

Conversation

bytestream
Copy link
Collaborator

I spoke to @torrentalle about this a while ago. If you inject database values into validation messages then you can leave leave yourself open to XSS attacks, for example consider custom field usage.

This adds a new escape configuration option that will run htmlentities on all validation messages. By default it's turn offed for backwards compatibility...

@bytestream
Copy link
Collaborator Author

@torrentalle @antonkomarev @drjoju

Can any of you access the StyleCI account linked to this repository? StyleCI team are advising that in-app settings are overriding the .style-ci.yml file so essentially that file is useless.

https://twitter.com/TeamStyleCI/status/1191738162315505665

@antonkomarev
Copy link
Contributor

I've tried to fix StyleCI somehow and even wrote to StyleCI staff for helping me to fix that, but only @torrentalle has access to it.

@bytestream
Copy link
Collaborator Author

@drjoju sorry to ping, but while you're active would you mind looking at this comment? #329 (comment) maybe you have permission to edit the account...

@bytestream bytestream merged commit d5332d9 into proengsoft:master Mar 15, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

2 participants