differ icon indicating copy to clipboard operation
differ copied to clipboard
verified publisher icon pvande

HTML formatter passes '<' symbol and tags unescaped

Open kolen opened this issue 5 years ago • 0 comments

:html formatter passes < symbols as is to resulting html, which may result in XSS vulnerability.

[2] pry(main)> Differ.diff_by_line("foo", "<script>alert(1)</script>").format_as(:html)
=> "<del class=\"differ\"><script>alert(1)</script></del><ins class=\"differ\">foo</ins>"

As Differ operates on strings, not HTML fragments, IMHO, it should escape chunks of these strings in resulting html.

Using differ 0.1.2.

kolen avatar Jun 29 '20 14:06 kolen