Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not marking msg as html_safe by default. #868

Merged
merged 1 commit into from
Aug 9, 2015
Merged

Not marking msg as html_safe by default. #868

merged 1 commit into from
Aug 9, 2015

Conversation

panmari
Copy link
Contributor

@panmari panmari commented Aug 7, 2015

This could be misused as attack vector for xss attacks.
Added two tests for checking the behavior in both cases: if user
escapes message or not.

See also #856

@panmari
Not marking msg as html_safe by default.
f870d3a 
This could be misused as attack vector for xss attacks.
Added two tests for checking the behavior for the two cases if user
escapes message or not.
@symmetriq
Copy link

👍

The maintainers of this project need to stop flip-flopping on this issue. This was fixed on March 24, 2014 (commit), and applied to the Bootstrap 3 branch on April 1, 2014 (commit). On Dec 12, 2014 (commit), someone else came along and just re-added html_safe (seemingly oblivious to the fact that it was removed for a reason), and it went right back in without anybody questioning it.

At this point I'm now considering dropping this gem from the app I work on, but for the sake of people who still use it, this fix needs to go back in.

@claudiob
Copy link

claudiob commented Aug 8, 2015

@symmetriq In case you need an alternative, you might want to look at http://fullscreen.github.io/bh

@panmari
Copy link
Contributor Author

panmari commented Aug 8, 2015

Maybe now that I've added tests that mention the xss issue there, people
will be more hesitant to revert the change...

On Sat, Aug 8, 2015, 09:10 Claudio B. notifications@github.com wrote:

@symmetriq https://github.com/symmetriq In case you need an
alternative, you might want to look at http://fullscreen.github.io/bh


Reply to this email directly or view it on GitHub
#868 (comment)
.

seyhunak added a commit that referenced this pull request Aug 9, 2015
@seyhunak
Merge pull request #868 from panmari/fix_xss_vulnerability
11ff643 
Not marking msg as html_safe by default.
@seyhunak seyhunak merged commit 11ff643 into seyhunak:master Aug 9, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@panmari @symmetriq @claudiob @seyhunak