Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Allow adding HTML to errors[:base] messages #1596

Closed
wants to merge 1 commit into
from

Conversation

Projects
None yet
4 participants

virtax commented Apr 5, 2013

This will allow to use links in errors[:base] messages like this: 
errors[:base] << "Please fix this object first: #{channel_name}".html_safe

P.S. Simple adding .html_safe to the end of the message doesn't works

Allow to use HTML in errors[:base] messages
This will allow to use links in errors[:base] messages like this: 
errors[:base] << "Please fix this object first: <a href='/admin/channel/#{channel_id}/edit'></a>".html_safe

P.S. Simple adding .html_safe to the end of the message doesn't works

Coverage increased (+0.3%) when pulling 0f3297e on virtax:master into 97246a1 on sferik:master.

View Details

Owner

sferik commented Apr 7, 2013

It seems like this would open up an XSS vulnerability, no?

Collaborator

mshibuya commented Apr 9, 2013

Agreed with @sferik. This code is terrible.
Please look for cleaner way(and possibly provide some specs) if you really need this feature.

@mshibuya mshibuya closed this Apr 9, 2013

virtax commented Apr 9, 2013

Yes, the code seems to be open an XSS. But if you already use Rails Admin - that means that you have admin rights. So why try 'delete User' via XSS, when you can do it via Rails Admin?

Collaborator

mshibuya commented Apr 9, 2013

The problem is, for example, if an error message accidentally contains string <div>, then whole page layout gets corrupted.
That's what we don't want to happen.

virtax commented Apr 9, 2013

OK, agree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment