twitter-bootstrap-rails icon indicating copy to clipboard operation
twitter-bootstrap-rails copied to clipboard

Published 20 hours ago verified publisher icon seyhunak

Security issue: XSS (cross-site scripting)

Open claudiob opened this issue 9 years ago • 2 comments

Looks like https://github.com/seyhunak/twitter-bootstrap-rails/commit/23c2050c5fd0c0aff26484673703c4455993550a is taken as example in a RailsConf talk about what not to do in a gem to avoid cross-site scripting. Take a look at https://youtu.be/dof0EspDPlU?t=24m4s – what do you think?

claudiob avatar May 18 '15 17:05 claudiob

As argued in the talk, I think escaping should happen at the user level if desired. I created a pull request reverting this change and added two tests.

panmari avatar Aug 07 '15 13:08 panmari

@seyhunak This is quite concerning because this vulnerability was addressed in 2014.

Read about it in this blog post: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/

Relevant commit: https://github.com/seyhunak/twitter-bootstrap-rails/commit/663760e67b80ee25adc293bf5f03debae28b5af9

forced-request avatar Jan 28 '16 18:01 forced-request