Rails 2.3.3 and older do not escape text_area_tag
Reported by Bryan Larsen | January 16th, 2011 @ 06:11 PM | in Hobo 1.0X
The Hobo input for="text" does not escape the text. If the input
contains </textarea>
this may let users write
arbitrary text to your html. Rails 2.3.4 and later escape
text_area_tag by default, so this is only a bug for older versions
of rails.
Comments and changes to this ticket
-
Bryan Larsen January 16th, 2011 @ 08:26 PM
- no changes were found...
-
Bryan Larsen January 17th, 2011 @ 08:49 PM
- Milestone order changed from 11 to 0
(from [1eba365478132015ce3ee23345fe9b6b998e783c]) [#903] fix textarea security hole for Rails < 2.3.4. https://github.com/tablatom/hobo/commit/1eba365478132015ce3ee23345f...
-
Bryan Larsen January 17th, 2011 @ 10:42 PM
(from [2d745544f7ea750f9c6c6a47ae55bf669c91beab]) [#903] fix textarea security hole for Rails < 2.3.4. https://github.com/tablatom/hobo/commit/2d745544f7ea750f9c6c6a47ae5...
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
Attachments
Referenced by
- 903 Rails 2.3.3 and older do not escape text_area_tag (from [1eba365478132015ce3ee23345fe9b6b998e783c]) [#903] ...
- 903 Rails 2.3.3 and older do not escape text_area_tag (from [2d745544f7ea750f9c6c6a47ae55bf669c91beab]) [#903] ...