Mailinglist Archive: yast-devel (59 mails)

< Previous Next >
Re: [yast-devel] Details in flash message
  • From: Josef Reidinger <jreidinger@xxxxxxx>
  • Date: Mon, 15 Mar 2010 16:37:22 +0100
  • Message-id: <201003151637.22319.jreidinger@xxxxxxx>
Josef Reidinger write:
Martin Vidner write:
On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
Hi,
I submit implementation of details in flash message. It is really easy to
use. You can use for to add additional info to message which is not shown
by default.
Attention: details string is not escaped. It is up to you to ensure that
it is escaped. (Can change in future if there is request to have it)
Note: It uses pre for string, so you don't need to replace \n with <br>

example:
flash[:error] = "Fatal error."+details("really interesting details")

You are just begging to get an XSS exploit.
1) the API insecure by default
2) no example shown how to escape problematic strings

Please make it escaped by default (hint: h() vs raw() in RoR 2->3)


Yes, I think escape by default could be good if developer need not format
details.

Hint is little problematic, because h is helper, but you need details in
controller as you set flash message in controllers. But helpers is not
reachable from controller. Of course I can include helper to appliacation
controller, but it mix view logic into controller logic. Do you know better
solution?

Josef

OK, I answer myself UTFG:
http://startupfront.blogspot.com/2006/11/how-to-escape-html-in-your-rails.html

so I changed it and now it is escaped by default.

Josef

--
Josef Reidinger
YaST team
maintainer of perl-Bootloader, YaST2-Repair, parts of webyast
--
To unsubscribe, e-mail: yast-devel+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: yast-devel+help@xxxxxxxxxxxx

< Previous Next >