This project is archived and is in readonly mode.
WhiteListSanitizer removes unknown tags instead of escaping.
Reported by antonmos | August 27th, 2008 @ 03:45 PM | in 2.x
Quoting the comment in santizier.rb for bad_tags member: "# Specifies a Set of 'bad' tags that the #sanitize helper will remove completely, as opposed to just escaping harmless tags like <font>"
However, the current code completely removes all unknown tags regardless of bad_tags set.
This is a problem because users may want to use text enclosed in < and > characters in their content (i.e. forum posts) and simply removing them is confusing and (unpleasantly) surprising.
Comments and changes to this ticket
-
antonmos August 27th, 2008 @ 04:23 PM
This changeset fixes the issue.
Some tests explicitly asserted that 'form' and 'plaintext' tags should be removed, thus I added them to the bad_tags list.
test_should_sanitize_tag_broken_up_by_null and test_should_sanitize_script_tag_with_multiple_open_brackets relied on removing unknown tags, but the new behavior should prevent script execution as well.
-
josh December 3rd, 2008 @ 03:25 PM
- Tag changed from “2.0-stable, 2.1, sanitize” to “2.0-stable, 2.1, patch, sanitize”
- State changed from “new” to “resolved”
-
David Eisinger November 20th, 2009 @ 03:55 PM
- Tag cleared.
This is still broken:
http://github.com/rails/rails/blob/master/actionpack/lib/action_con...
-
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
antonmos