masq
masq copied to clipboard
Validation regexps use ^$ instead of \A\z
In app/models/masq/account.rb these two validations allow newlines:
validates_format_of :login, :with => /^[[email protected]]+$/
validates_format_of :email, :with => /(^([^@\s]+)@((?:[-_a-z0-9]+\.)+[a-z]{2,})$)|(^$)/i
That allows e.g. registering with a username containing newline character.
More details: http://guides.rubyonrails.org/security.html#regular-expressions