Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

comments right now accept image tags #35

Closed
justin808 opened this issue May 21, 2015 · 3 comments
Closed

comments right now accept image tags #35

justin808 opened this issue May 21, 2015 · 3 comments

Comments

@justin808
Copy link
Member

Somebody put in this comment at

http://www.reactrails.com/

<div class="comment" data-reactid=".0.0.2.$41"><h2 class="comment-author" data-reactid=".0.0.2.$41.0">123</h2><span data-reactid=".0.0.2.$41.1"><p><img src="" onerror="alert(1)"></p>
</span></div>

@mbreining we need to change the demo so that that HTML tags are stripped. In fact, they might be and this may have been entered on the rails side. In any case, any HTML tags should be escaped before display. @Dgrafmyre you can take a quick look at this as well. Might be fun to fix.

railsreacttutorial
@justin808
Copy link
Member Author

railsreacttutorial

@justin808
Copy link
Member Author

Deleted the offending records by running this in the console.

Comment.where("text like '%<%'").delete_all

However, the comment field should store anything in there.

Need to fix the ReactJs code so that it sanitizes the html tags before displaying them.

@justin808
Copy link
Member Author

This was fixed and deployed some time ago.

@justin808 justin808 mentioned this issue Oct 31, 2015
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@justin808