Martin Vidner write:
> On Mon, Mar 15, 2010 at 12:00:58PM +0100, Josef Reidinger wrote:
> > Hi,
> > I submit implementation of details in flash message. It is really easy to
> > use. You can use for to add additional info to message which is not shown
> > by default.
> > Attention: details string is not escaped. It is up to you to ensure that it
> > is escaped. (Can change in future if there is request to have it)
> > Note: It uses pre for string, so you don't need to replace \n with <br>
> >
> > example:
> > flash[:error] = "Fatal error."+details("really interesting details")
>
> You are just begging to get an XSS exploit.
> 1) the API insecure by default
> 2) no example shown how to escape problematic strings
>
> Please make it escaped by default (hint: h() vs raw() in RoR 2->3)
>
Yes, I think escape by default could be good if developer need not format
details.
Hint is little problematic, because h is helper, but you need details in
controller as you set flash message in controllers. But helpers is not
reachable from controller. Of course I can include helper to appliacation
controller, but it mix view logic into controller logic. Do you know better
solution?
Josef
--
Josef Reidinger
YaST team
maintainer of perl-Bootloader, YaST2-Repair, parts of webyast
--
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
