Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

auto_link to return sanitized strings #281

Closed
wants to merge 2 commits into
from

Conversation

Projects
None yet
3 participants
Contributor

xuanxu commented Apr 15, 2011

This code returns insecure content, and I think that's very counter-intuitive:
auto_link("<script>alert('malicious')</script> www.rubyonrails.org", :sanitize => true)

I propose to avoid the vulnerability this commit from @tenderlove fixed: 61ee344 and at the same time give a better use to the existent (but not documented) :sanitize option.

Contributor

jfirebaugh commented Apr 16, 2011

It should not return an html_safe string when when :sanitize => false is given, right? Can you add a test for that?

Contributor

xuanxu commented Apr 16, 2011

You are right, test added.

Owner

rafaelfranca commented May 3, 2011

auto_link has removed on master. I think that this issue can be closed

Contributor

xuanxu commented May 5, 2011

Closing. Pull request moved to the new rails_autolink repository.

@xuanxu xuanxu closed this May 5, 2011

@hisas hisas pushed a commit to hisas/rails that referenced this pull request May 9, 2017

@mikel mikel Merge pull request #281 from dmathieu/tostr_gsub
use to_str before gsubing on a string
08284fd

@hisas hisas pushed a commit to hisas/rails that referenced this pull request May 9, 2017

@jeremy jeremy Merge pull request #957 from carsonreinke/281
Tests for PR #281
164cb38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment