It''s really confusing to decide whether sanitize will help avoid XSS in
case when :attributes => %w( style )
on stackoverflow, people say that it is not safe, yet the examples they
give such as
style="background-image: url(javascript:[code]);"
is being filtered out using sanitize and all that is left is style=""
is there a way to get a definite answer if sanitize with style allow will
protect against XSS or not?
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To view this discussion on the web visit
https://groups.google.com/d/msg/rubyonrails-talk/-/FtHL3thXWpEJ.
For more options, visit https://groups.google.com/groups/opt_out.
