rails_xss icon indicating copy to clipboard operation
rails_xss copied to clipboard

Published 20 hours ago verified publisher icon NZKoz

link_to text not being escaped

Open pupeno opened this issue 14 years ago • 3 comments

The text part of link_to is not being escaped when it's not a safe string. The following snippet triggers a popup:

<%= link_to "<script>alert(\"XSS!!!\")</script>", nil %>

Thanks.

pupeno avatar Mar 21 '10 17:03 pupeno

This was fixed on github.com/rails/rails_xss but this version will be usable with Rails 2.3.6

spastorino avatar Mar 22 '10 03:03 spastorino

Can it be backported? Would it be merged back into NZKoz/rails_xss if I backport it?

pupeno avatar Mar 22 '10 06:03 pupeno

Yes it will be backported, don't worry we are fixing a couple of thing and we will do that sooner, thank you for helping.

spastorino avatar Mar 22 '10 06:03 spastorino