XSS Vulnerability
Closed this issue · 2 comments
Out of the box, this gem creates an XSS vulnerability, as users are able to post HTML, including <script> tags. These are not stripped on the way into the database or before they're shown to the user.
@kevinreedy thanks! I will check it
@kevinreedy sorry for a looooong delay. =)
Comment model provided 2 fields
t.text :raw_content
t.text :contentActually I put upon responsibility about XSS on developers shoulders.
You are must process raw_content from user on before_validate step, and put result in content field.
After that you should render content filed always. And it should be safe.
for this gem I have good example of real application
And you can find comments about how to process content here:
https://github.com/the-teacher/the_comments
https://github.com/the-teacher/the_comments/blob/master/spec/dummy_app/app/models/comment.rb#L24
PS: this gem is good enough for few my pet-projects. It still works fine after few years after it was installed. But now this gem abandoned, because I have another private and much better solution. I think you should know it before making of decision about using it.