Rails 2.3.3 and older do not escape text_area_tag
Reported by Bryan Larsen | January 16th, 2011 @ 06:11 PM | in Hobo 1.0X
The Hobo input for="text" does not escape the text. If the input
contains </textarea> this may let users write
arbitrary text to your html. Rails 2.3.4 and later escape
text_area_tag by default, so this is only a bug for older versions
of rails.
Comments and changes to this ticket
-
Bryan Larsen January 16th, 2011 @ 08:26 PM
- no changes were found...
-
Bryan Larsen January 17th, 2011 @ 08:49 PM
- Milestone order changed from “11” to “0”
(from [1eba365478132015ce3ee23345fe9b6b998e783c]) [#903] fix textarea security hole for Rails < 2.3.4. https://github.com/tablatom/hobo/commit/1eba365478132015ce3ee23345f...
-
Bryan Larsen January 17th, 2011 @ 10:42 PM
(from [2d745544f7ea750f9c6c6a47ae55bf669c91beab]) [#903] fix textarea security hole for Rails < 2.3.4. https://github.com/tablatom/hobo/commit/2d745544f7ea750f9c6c6a47ae5...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
Bryan Larsen
Domizio Demichelis
Attachments
Referenced by
-
903
Rails 2.3.3 and older do not escape text_area_tag
(from [1eba365478132015ce3ee23345fe9b6b998e783c])
[#903]
...
-
903
Rails 2.3.3 and older do not escape text_area_tag
(from [2d745544f7ea750f9c6c6a47ae55bf669c91beab])
[#903]
...