Hello, I've read the article of Yehuda Katz about the SafeBuffers in Rails 3 (http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/), and it makes me discover that content_tag does not escape its input. I think it's a security flaw that should be fixed before the release of Rails 3.0.0.
I've opened a ticket on lighthouse with a patch: https://rails.lighthouseapp.com/projects/8994/tickets/3883-content_tag-does-not-escape-its-input. I'll be glad if someone can review my patch. Thanks, Bruno Michel -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en.
