This project is archived and is in readonly mode.

#3952 ✓resolved
Greg Hazel

link_to XSS problem

Reported by Greg Hazel | February 13th, 2010 @ 07:52 PM | in 2.3.6

not_safe = "<i>XSS is fun</i>"
link_to(not_safe, some_path)

produces:

<a href=\"hi\"><i>XSS is fun</i></a>

when I believe it should instead check .html_safe? on the "name" arg, and escape it if it is not safe, producing:

<a href=\"hi\">&lt;i&gt;XSS is fun&lt;/i&gt;</a>

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

Pages