auto_link to return sanitized strings #281

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
3 participants
Contributor

xuanxu commented Apr 15, 2011

This code returns insecure content, and I think that's very counter-intuitive:
auto_link("<script>alert('malicious')</script> www.rubyonrails.org", :sanitize => true)

I propose to avoid the vulnerability this commit from @tenderlove fixed: 61ee344 and at the same time give a better use to the existent (but not documented) :sanitize option.

Contributor

jfirebaugh commented Apr 16, 2011

It should not return an html_safe string when when :sanitize => false is given, right? Can you add a test for that?

Contributor

xuanxu commented Apr 16, 2011

You are right, test added.

Owner

rafaelfranca commented May 3, 2011

auto_link has removed on master. I think that this issue can be closed

Contributor

xuanxu commented May 5, 2011

Closing. Pull request moved to the new rails_autolink repository.

xuanxu closed this May 5, 2011

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment