bootstrap_form icon indicating copy to clipboard operation
bootstrap_form copied to clipboard

Published 20 hours ago verified publisher icon bootstrap-ruby

Possible Unsafe String Interpolation

Open lcreid opened this issue 3 years ago • 2 comments
trafficstars

While refactoring for #642 , BootstrapFormGroupTest#test_append_and_prepend_button started outputting escaped strings instead of HTML. But the test hadn't changed. So the question is, did the code always allow unsafe strings to be passed in and be rendered without being checked for HTML-safeness?

lcreid avatar Aug 02 '22 02:08 lcreid

@lcreid Is there anything to do on this issue?

donv avatar Sep 13 '23 05:09 donv

I'd like to leave this open, but I don't think it's high priority to address, since what I observed is that HTML was getting escaped, which is safer than if we were allowing through HTML that might not be safe to render.

lcreid avatar Sep 14 '23 02:09 lcreid