#13 ✓resolved
Sven Fuchs

tag_list clashes with xss_terminate

Reported by Sven Fuchs | July 8th, 2008 @ 11:07 PM | in First alpha

Seems to be related to interrelated before_save and after_save filters in both plugins that just don't work together nicely.

Might be hard to fix though. If we can't fix it, we could also:

1. entirely remove xss_terminate, safe_erb and sqlite_tainted

Plus: sanitizing input before it goes to the database is not a common praxis in the Rails world. Minus: all the reasons that speak for xss_terminate - it's just safer.

2. exclude tag_list from sanitizing, document that or maybe make it unaccessible

Plus: maybe the easiest solution. Minus: having a single unsanitized attribute might be even worse than having all attributes not sanitized.

Comments and changes to this ticket

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<p>Cutting edge cms, blog, wiki, forum ... plattform.</p>

<p>Find the code on <a href="http://github.com/svenfuchs/adva_cms/tree/master">GitHub: adva cms</a></p>

<p>Part of the business application framework <a href="http://www.advabest.org/">adva best</a>.</p>

People watching this ticket


Referenced by