Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can´t use: [:escaped_params] ? #1615

Closed
baelter opened this issue May 19, 2020 · 3 comments
Closed

Can´t use: [:escaped_params] ? #1615

baelter opened this issue May 19, 2020 · 3 comments

Comments

@baelter
Copy link
Contributor

@baelter baelter commented May 19, 2020

@dentarg
Copy link

@dentarg dentarg commented May 19, 2020

Seems like it is intentionally not included by use Rack::Protection, if that's what you mean: https://github.com/sinatra/sinatra/blob/v2.0.8.1/rack-protection/README.md#cross-site-request-forgery

A bit hard to follow, but I think background for that exist in

@baelter
Copy link
Contributor Author

@baelter baelter commented May 20, 2020

I'm down with that, but it can't be activated with

set(:protection, use: [:escaped_params], escape: [:html]

Bonus quirk: the escape options passed above are used if I activate it with

use Rack::Protection::EscapedParams
@jkowens
Copy link
Member

@jkowens jkowens commented Aug 11, 2020

@baelter I think you are correct, it should be added there and off by default. Can you send up a PR to do that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

3 participants
You can’t perform that action at this time.