sanitize after auto_link - #13 XSS vulnerability #14

Merged
merged 1 commit into from May 24, 2012

Conversation

Projects
None yet
2 participants
Collaborator

homakov commented May 24, 2012

for #13

First time I was thinking about whitelisting Regexp for URL but it's probably will not include all URI protocols.
then I thought it should be fixed in conditional_html_safe but right now moving sanitize after auto_link solves problem more gracefully.

@tenderlove tenderlove added a commit that referenced this pull request May 24, 2012

@tenderlove tenderlove Merge pull request #14 from homakov/patch-1
sanitize after auto_link - #13 XSS vulnerability
20247e2

@tenderlove tenderlove merged commit 20247e2 into tenderlove:master May 24, 2012

Owner

tenderlove commented May 24, 2012

Congrats, you've got commit access now! :-)

Collaborator

homakov commented May 24, 2012

@tenderlove thank you :) Making up with rails!

Owner

tenderlove commented May 24, 2012

Can you backport this to Rails 3-0-stable for me? I think 3.1 and up don't have the code, but we could use it in 3.0. Thanks!

Owner

tenderlove commented May 24, 2012

Also, can you send me the email address you use with rubygems.org? I will give you permission to release this gem.

Collaborator

homakov commented May 24, 2012

@tenderlove it's homakov@gmail.com
I will try to backport but I'm not too much pro with git thus it may take a while

Owner

tenderlove commented May 24, 2012

Ok. You have release permission now. In order to release, update this version constant and commit. Then do rake release VERSION=newversion (make sure newversion matches what you updated with). It should automatically tag and push the gem to rubygems.org.

I would just take this patch that you added and apply to rails on the 3-0-stable branch.

Thanks!

Collaborator

homakov commented May 24, 2012

@tenderlove released
thinking on graceful patch 3.0 - it uses different methods. hmm maybe rails/rails#6479 is the best option(something weird goes in that PR, github error probably. backport through web interface..)

Collaborator

homakov commented May 24, 2012

oh sorry for mess there it's 2am - gh web interface always pushes to master. ok the whole idea is at homakov/rails@15f1035 ..

Owner

tenderlove commented May 24, 2012

No problem! I think the patch is fine. Have some sleep and send the PR again tomorrow! :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment