Fixed XSS issue with link attributes #47

merged 1 commit into from Jun 8, 2014

5 participants


The current version of auto_link is vulnerable to a XSS attack:"onmouseover="prompt()

you will get

<a href="" onmouseover="prompt()">"onmouseover="prompt()</a>


The regexp should find characters until a " is found. Then the result is:

<a href="">"onmouseover="prompt()</a>onmouseover="prompt()"

@fcsonline congratulations! You are now a rails_autolink-core team member. Please merge this PR yourself. Also, send me your email address and I'll give you release privilege on



@tardate tardate merged commit 13579a7 into tenderlove:master Jun 8, 2014

@fcsonline I merged this into a 1.1.6 release with a few other PRs. Please do check to make sure after the merge all is still well!


Thanks! I'll do it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment