Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Serious XSS vulnerability in text fields #1391

chewi opened this Issue · 2 comments

2 participants


Unless I'm mistaken, there is a serious XSS vulnerability in the treatment of text fields in the show template. The formatted_value is marked as html_safe even though there's no guarantee that it actually is safe. Wrapping it in <pre> tags does nothing to make it safe. The problem was introduced by e37098d. I currently have no suggestions other than to correct this immediately as I don't know anything about bootstrap-wysihtml5.


I'm not usually one to bump my own issue but this should really be ringing alarm bells. It allows regular users to potentially gain access to RailsAdmin with very little effort.

@mshibuya mshibuya closed this in c4af98b

I've completely missed this issue when I've merged that commit in.
Thanks for pointing out and alarming us!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.