Fixed XSS issue with link attributes #47

Merged
merged 1 commit into from Jun 8, 2014

5 participants

@fcsonline
Collaborator

The current version of auto_link is vulnerable to a XSS attack:

https://www.foobar.com/"onmouseover="prompt()

you will get

<a href="https://www.foobar.com/" onmouseover="prompt()">https://www.foobar.com/"onmouseover="prompt()</a>

Solution:

The regexp should find characters until a " is found. Then the result is:

<a href="https://www.foobar.com/">https://www.foobar.com/"onmouseover="prompt()</a>onmouseover="prompt()"
@tenderlove
Owner

@fcsonline congratulations! You are now a rails_autolink-core team member. Please merge this PR yourself. Also, send me your email address and I'll give you release privilege on rubygems.org.

@masylum

🎉

@tardate tardate merged commit 13579a7 into tenderlove:master Jun 8, 2014
@tardate
Collaborator

@fcsonline I merged this into a 1.1.6 release with a few other PRs. Please do check to make sure after the merge all is still well!

@fcsonline
Collaborator

Thanks! I'll do it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment