Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
convert CDATA nodes to TEXT nodes to avoid XSS issues
CDATA nodes will not be html escaped. Users shouldn't be submitting CDATA nodes in the first place, so we should convert them to text nodes before escaping CVE-2015-7580
- Loading branch information
Showing
with
16 additions
and 1 deletion.
- +6 −1 lib/rails/html/scrubbers.rb
- +10 −0 test/sanitizer_test.rb