On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
Hi, I submit implementation of details in flash message. It is really easy to use. You can use for to add additional info to message which is not shown by default. Attention: details string is not escaped. It is up to you to ensure that it is escaped. (Can change in future if there is request to have it) Note: It uses pre for string, so you don't need to replace \n with <br>
example: flash[:error] = "Fatal error."+details("really interesting details")
You are just begging to get an XSS exploit. 1) the API insecure by default 2) no example shown how to escape problematic strings Please make it escaped by default (hint: h() vs raw() in RoR 2->3) -- Martin Vidner, YaST developer http://en.opensuse.org/User:Mvidner Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu