return sanitized strings #1

Merged
merged 2 commits into from May 5, 2011

Projects

None yet

2 participants

Collaborator
xuanxu commented May 5, 2011

The default behaviour for this helper was changed to fix a security bug ( rails/rails@61ee344 ). But now this code returns insecure content:
auto_link("<script>alert('malicious')</script> www.rubyonrails.org", :sanitize => true)

I propose to avoid the security problem but returning sanitized strings as the rest of the text helpers, and at the same time give a better use to the existent (but not documented) :sanitize option.

@tenderlove tenderlove merged commit 922ca9a into tenderlove:master May 5, 2011
Owner

@xuanxu congratulations, you are now on the rails_autolink team!

Collaborator
xuanxu commented May 5, 2011

yeehaw! :) ❤️

Owner

Would you like to maintain this gem? I don't really have time for it. :-(

Collaborator
xuanxu commented May 6, 2011

Sure, no problem. I can keep an eye on it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment