rails_xss
rails_xss copied to clipboard
NZKoz
A plugin for rails 2.3.5 applications which switches the default to escape by default. Later versions should use rails/rails_xss
Hi, Currently some helpers like f.text_field are been escaped, why ? I have installed erubis before plugin, should I configure erubis to work together with this plugin some way ?...
Since link_to and other helper methods return an html_safe string, wouldn't it make sense for them to escape the content passed to them? Otherwise the application is still vulnerable to...
The text part of link_to is not being escaped when it's not a safe string. The following snippet triggers a popup: ``` ``` Thanks.
The result of calling the helper debug is not being marked as safe: ``` ``` Shouldn't it be marked as safe?
I think it would be nice to create an alias `html_safe` as in Rails 3, so we don't have to conditionally call the method when making a compatible plugin for...
Escaping is being done on static HTML in results of <%= cache... %> calls and tabnav plugin output
Rails 2.3.5 I installed this plugin and saw most of my page start displaying HTML source. It appears that the static HTML in the output of a call like: '/layouts/header'...
IE in binarylogic/searchlogic (line 69 of rails_helpers.rb): ``` concat(content_tag("div", hidden_field_tag("#{args.first}[order]", search_obj.order)) + "\n") ``` and in dpickett/tab_menu (line 15 of view_helpers.rb): ``` concat("") ```
