Someone forgot to h()

Comments

1. Mischa about 1 hour later: (delete | show email)

   Hahaha ¶

2. Dr Nic about 2 hours later: (delete | show email)

   Hehehe. ¶

3. Dan Kubb about 7 hours later: (delete | show email)

   That's one of the reasons I switched to using Erubis for my erb views. It has a library called Erubis::EscapedEruby which escapes everything automatically. The difference is that you have to tell it what *not* to escape, which I think catches more mistakes than having to remember to use h() everywhere. ¶

4. Christian H 1 day later: (delete | show email)

   BaseCamp's todo lists had the same problem last time I checked... ¶

5. Thijs van der Vossen 1 day later: (delete)

   The Basecamp todo's are escaped now which is a shame in my opinion; I used this 'feature' to include links in todo items. ¶

6. rick 5 days later: (delete)

   So, is this really a big deal? Just don't invite javascript hackers into your campfire, unless you are a group of javascript hackers. Trust no one!

   Seriously though, I suppose a hacker could add malicious logic to your chatroom screen through some sort of CSRF attack... ¶

7. Manfred Stienstra 5 days later: (delete)

   No, and I never said it was. I thought it was funny that you can do stuff like this. I think there might even be a real use-case for this. ¶

Add your comment

Your name: (also leave contact information)

Your email address (will not be shown):

The url of your website:

Remember me

Your comment: