This project is archived and is in readonly mode.
Closing form tags are not marked HTML-safe
Reported by nex3 | May 23rd, 2010 @ 11:53 AM | in 2.3.7
Closing form tags (</form>
) created via
#form_for
or #form_tag
are not marked as
HTML-safe, and so are rendered as
</form>
when XSS protection is enabled.
This effectively renders form methods unusable with XSS
protection.
I have a patch in my Rails fork which fixes this.
Comments and changes to this ticket
-
Santiago Pastorino May 23rd, 2010 @ 05:11 PM
- Milestone set to 2.3.6
- Tag changed from 2.3.6 to 2.3.6, xss
- State changed from new to open
-
Santiago Pastorino May 23rd, 2010 @ 05:28 PM
- Assigned user set to Jeremy Kemper
-
Santiago Pastorino May 24th, 2010 @ 05:06 AM
- State changed from open to resolved
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>