Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Don't allow arbitrary data in link_to :back #14444
I realised that
Obviously this bug is low priority as the referer header can not be spoofed easily as such, but at the moment we're one browser-bug away from having a massive XSS exploit on every rails site that uses
Since this is more like a feature request, let's close this for now. Feel free to bring this up on the rails-core mailing list and/or send a pull request for this :) We also have a related GSoC project, so perhaps a student could work on that in the summer.
Thanks for brining this up though!