[yast-devel] Details in flash message
Hi, I submit implementation of details in flash message. It is really easy to use. You can use for to add additional info to message which is not shown by default. Attention: details string is not escaped. It is up to you to ensure that it is escaped. (Can change in future if there is request to have it) Note: It uses pre for string, so you don't need to replace \n with <br> example: flash[:error] = "Fatal error."+details("really interesting details") -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
Hi, I submit implementation of details in flash message. It is really easy to use. You can use for to add additional info to message which is not shown by default. Attention: details string is not escaped. It is up to you to ensure that it is escaped. (Can change in future if there is request to have it) Note: It uses pre for string, so you don't need to replace \n with <br>
example: flash[:error] = "Fatal error."+details("really interesting details")
You are just begging to get an XSS exploit. 1) the API insecure by default 2) no example shown how to escape problematic strings Please make it escaped by default (hint: h() vs raw() in RoR 2->3) -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
Martin Vidner write:
On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
Hi, I submit implementation of details in flash message. It is really easy to use. You can use for to add additional info to message which is not shown by default. Attention: details string is not escaped. It is up to you to ensure that it is escaped. (Can change in future if there is request to have it) Note: It uses pre for string, so you don't need to replace \n with <br>
example: flash[:error] = "Fatal error."+details("really interesting details")
You are just begging to get an XSS exploit. 1) the API insecure by default 2) no example shown how to escape problematic strings
Please make it escaped by default (hint: h() vs raw() in RoR 2->3)
Yes, I think escape by default could be good if developer need not format details. Hint is little problematic, because h is helper, but you need details in controller as you set flash message in controllers. But helpers is not reachable from controller. Of course I can include helper to appliacation controller, but it mix view logic into controller logic. Do you know better solution? Josef -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
Josef Reidinger write:
Martin Vidner write:
On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
Hi, I submit implementation of details in flash message. It is really easy to use. You can use for to add additional info to message which is not shown by default. Attention: details string is not escaped. It is up to you to ensure that it is escaped. (Can change in future if there is request to have it) Note: It uses pre for string, so you don't need to replace \n with <br>
example: flash[:error] = "Fatal error."+details("really interesting details")
You are just begging to get an XSS exploit. 1) the API insecure by default 2) no example shown how to escape problematic strings
Please make it escaped by default (hint: h() vs raw() in RoR 2->3)
Yes, I think escape by default could be good if developer need not format details.
Hint is little problematic, because h is helper, but you need details in controller as you set flash message in controllers. But helpers is not reachable from controller. Of course I can include helper to appliacation controller, but it mix view logic into controller logic. Do you know better solution?
Josef
OK, I answer myself UTFG: http://startupfront.blogspot.com/2006/11/how-to-escape-html-in-your-rails.ht... so I changed it and now it is escaped by default. Josef -- Josef Reidinger YaST team maintainer of perl-Bootloader, YaST2-Repair, parts of webyast -- To unsubscribe, e-mail: yast-devel+unsubscribe@opensuse.org For additional commands, e-mail: yast-devel+help@opensuse.org
participants (2)
-
Josef Reidinger
-
Martin Vidner