Are we missing places where we should be doing html escaping
Reported by Tom Locke | July 31st, 2008 @ 11:29 AM | in Beyond Hobo 1.0
e.g. #to_s and #name?
Comments and changes to this ticket
-
Tom Locke July 31st, 2008 @ 11:29 AM
- State changed from new to open
-
Tom Locke August 3rd, 2008 @ 12:17 PM
- Title changed from Review for places we should be doing HTML escaping to Are we missing places where we should be doing html escaping
- Tag changed from security to question, security
-
Matt Jones November 10th, 2009 @ 04:35 AM
- Tag changed from question, security to misc, question, security
We should probably integrate with rails_xss, as we're going to have to deal with the escaping issue when we move to 3.0.
-
Bryan Larsen December 1st, 2009 @ 11:45 PM
- Milestone changed from Hobo 1.0 - Final to Beyond Hobo 1.0
I missed the comment on rails_xss. Darn. This really should have made RC1. If we ever decide to bend the rule, this should be on the list.
I'm not sure if we should make rails_xss a depdendency, but we should definitely be compatible with it and recommend it.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป