Josef Reidinger write:
> Martin Vidner write:
> > On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
> > > Hi,
> > > I submit implementation of details in flash message. It is really easy to
> > > use. You can use for to add additional info to message which is not shown
> > > by default.
> > > Attention: details string is not escaped. It is up to you to ensure that
> > > it is escaped. (Can change in future if there is request to have it)
> > > Note: It uses pre for string, so you don't need to replace \n with <br>
> > >
> > > example:
> > > flash[:error] = "Fatal error."+details("really interesting details")
> >
> > You are just begging to get an XSS exploit.
> > 1) the API insecure by default
> > 2) no example shown how to escape problematic strings
> >
> > Please make it escaped by default (hint: h() vs raw() in RoR 2->3)
> >
>
> Yes, I think escape by default could be good if developer need not format
> details.
>
> Hint is little problematic, because h is helper, but you need details in
> controller as you set flash message in controllers. But helpers is not
> reachable from controller. Of course I can include helper to appliacation
> controller, but it mix view logic into controller logic. Do you know better
> solution?
>
> Josef
>
OK, I answer myself UTFG:
http://startupfront.blogspot.com/2006/11/how-to-escape-html-in-your-rails.html
so I changed it and now it is escaped by default.
Josef
--
Josef Reidinger
YaST team
maintainer of perl-Bootloader, YaST2-Repair, parts of webyast
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
