
tag_list clashes with xss_terminate
Reported by Sven Fuchs | July 8th, 2008 @ 11:07 PM | in First alpha
Seems to be related to interrelated before_save and after_save filters in both plugins that just don't work together nicely.
Might be hard to fix though. If we can't fix it, we could also:
1. entirely remove xss_terminate, safe_erb and sqlite_tainted
Plus: sanitizing input before it goes to the database is not a common praxis in the Rails world. Minus: all the reasons that speak for xss_terminate - it's just safer.
2. exclude tag_list from sanitizing, document that or maybe make it unaccessible
Plus: maybe the easiest solution. Minus: having a single unsanitized attribute might be even worse than having all attributes not sanitized.
Comments and changes to this ticket
-
Sven Fuchs July 9th, 2008 @ 01:28 PM
- State changed from new to resolved
(from [fd4d6624e824ebba57370f282e2467f79649dc20]) Fix quoted tags clashing with xss_terminate [#13 state:resolved]
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<p>Cutting edge cms, blog, wiki, forum ... plattform.</p>
<p>Find the code on <a href="http://github.com/svenfuchs/adva_cms/tree/master">GitHub: adva cms</a></p>
<p>Part of the business application framework <a href="http://www.advabest.org/">adva best</a>.</p>
People watching this ticket
Tags
Referenced by
-
332 Calendar with PostgreSQL : SELECT tags., COUNT() AS count FROM "tags" INNER JOIN t...