primary.item :xss, '<script>alert("xss")</script>', 'javascript:void(0);'

Question

primary.item :xss, '<script>alert("xss")</script>', 'javascript:void(0);'

troynt opened this issue 11 years ago · 3 comments

Hello,

It seems my navigation is a bit more permissive on link contents than I imagined.

What is the recommended way to disable automatic html_safe on links?

I see no mention of this potential security hole on
https://github.com/codeplant/simple-navigation/wiki/Dynamic-Navigation-Items

The obvious fix would be for one to manually add h() to unsafe content. However, I think it should escape content by default.

Thanks,

Troy

Answer 1 · 2014-03-04T08:57:03.000Z

Hello Troy,

What version of the gem are you working with?
There is an option you can set called consider_item_names_as_safe which defaults to true.
Setting it to false should solve your issue:

SimpleNavigation::Configuration.run do |navigation|
  navigation.consider_item_names_as_safe = false
  # ...
end

Answer 2 · 2014-03-04T17:54:01.000Z

I'm using version 3.12.2

I was unaware of this option, thank you!

Answer 3 · 2014-03-04T17:56:21.000Z

The option will be false by default from version 3.13.0.
On 4 Mar 2014 18:54, "Troy Thompson" notifications@github.com wrote:

Closed #157 #157.

—
Reply to this email directly or view it on GitHubhttps://github.com//issues/157
.