Displaying 1 result from an estimated 1 matches for "documentdecor".
2010 Feb 02
0
[Security] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6
...when
implicitly scrubbing a string attribute. GH #17
Patch
----------
diff --git a/lib/loofah/html/document.rb b/lib/loofah/html/document.rb
index 30b8b9f..b7ffa20 100644
--- a/lib/loofah/html/document.rb
+++ b/lib/loofah/html/document.rb
@@ -10,10 +10,11 @@ module Loofah
include Loofah::DocumentDecorator
#
- # Returns a plain-text version of the markup contained by the
document
+ # Returns a plain-text version of the markup contained by the
document,
+ # with HTML entities encoded.
#
def text
- xpath("/html/body").inner_text
+ enco...