Mailinglist Archive: yast-devel (59 mails)

< Previous Next >
Re: [yast-devel] Details in flash message
  • From: Martin Vidner <mvidner@xxxxxxx>
  • Date: Mon, 15 Mar 2010 16:07:38 +0100
  • Message-id: <20100315150738.GC5834@xxxxxxxxxxxxxxxx>
On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
I submit implementation of details in flash message. It is really easy to
use. You can use for to add additional info to message which is not shown by
Attention: details string is not escaped. It is up to you to ensure that it
is escaped. (Can change in future if there is request to have it)
Note: It uses pre for string, so you don't need to replace \n with <br>

flash[:error] = "Fatal error."+details("really interesting details")

You are just begging to get an XSS exploit.
1) the API insecure by default
2) no example shown how to escape problematic strings

Please make it escaped by default (hint: h() vs raw() in RoR 2->3)
Martin Vidner, YaST developer

Kuracke oddeleni v restauraci je jako fekalni oddeleni v bazenu
< Previous Next >
Follow Ups