cells-slim icon indicating copy to clipboard operation
cells-slim copied to clipboard

Published 20 hours ago verified publisher icon trailblazer

Remove disable_escape: true

Open zlobz opened this issue 9 years ago • 1 comments

Remove disable_escape: true

Slim has two features: Output = Output without HTML escaping ==

If somebody wants to output without HTML escaping, he should use ==, not =. disable_escape disables escaping =.

zlobz avatar Dec 30 '15 20:12 zlobz

I used slim before many times and I think that slim works in the same way in cells-slim. I found XSS problems when one of customers take penetration tests on my application.

I think that most people don't even known that cells-slim disables escape and lives in unawareness. Method to enable escaping and warning about escaping disabled by default should be described on gem readme.

It can be changed easy by override template_options_for from Cells::Slim:

module Cell
  module Slim
    def template_options_for(options)
      {
          template_class: ::Slim::Template,
          suffix: 'slim',
          disable_escape: false,
          escape_code: false,
          use_html_safe: true,
          buffer: '@output_buffer'
      }
    end
  end
end

This can be put in config/application.rb.

mizalewski avatar Aug 20 '16 14:08 mizalewski