jobsworth icon indicating copy to clipboard operation
jobsworth copied to clipboard

Published 20 hours ago verified publisher icon ari

Cross-Site Scripting Warning in app/views/snippets/show.html.erb

Open ari opened this issue 7 years ago • 2 comments

Security issue from Hakiri: Unescaped model attribute in app/views/snippets/show.html.erb

ari avatar Aug 31 '16 01:08 ari

We can use http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize to aviod this issue. But it can hide some parts of bodies for existing snippets, for example <client_name> or [some URL] on snippet view page. We can customize it, but need to define white list for tags. @ari

k41n avatar Aug 31 '16 13:08 k41n

Isn't this the same problem we have in task comments? Why aren't we getting an error there?

At any rate, I'd like to move to markdown for comment text (with some extensions of our own like #1234 task links). I guess we'll need to think about incoming text from emails too, but hopefully markdown will cope with that.

ari avatar Aug 31 '16 22:08 ari