Security issue: XSS (cross-site scripting)

Question

Security issue: XSS (cross-site scripting)

claudiob opened this issue 10 years ago · 2 comments

Looks like 23c2050 is taken as example in a RailsConf talk about what not to do in a gem to avoid cross-site scripting. Take a look at https://youtu.be/dof0EspDPlU?t=24m4s – what do you think?

Answer 1 · 2015-08-07T13:37:40.000Z

As argued in the talk, I think escaping should happen at the user level if desired. I created a pull request reverting this change and added two tests.

Answer 2 · 2016-01-28T18:39:22.000Z

@seyhunak This is quite concerning because this vulnerability was addressed in 2014.

Read about it in this blog post: https://nvisium.com/blog/2014/03/28/reflected-xss-vulnerability-in-twitter/

Relevant commit: 663760e