Displaying 2 results from an estimated 2 matches for "xssfoliate".
2010 Feb 02
0
[Security] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6
Synopsis
----------
Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).
However, Loofah::XssFoliate''s default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that the following
input:
<script>alert(''evil!'');</script>
would be rendered as
<script>alert(''evil!'');<...
2009 Oct 13
1
loofah 0.3.1 Released
.../tt> and <tt>></tt> entities.
* _Whitewash_ the markup, removing all attributes and namespaced nodes.
* Format the markup as plain text.
* Replacements for Rails''s +strip_tags+ and +sanitize+ helper methods.
* TWO! Count them, TWO! ActiveRecord extensions:
* Loofah::XssFoliate (an
XssTerminate[http://github.com/look/xss_terminate/tree/master] drop-in
replacement) is an *opt-out* sanitizer; by default all models and
attributes are sanitized.
* Loofah::ActiveRecordExtension is an *opt-in* sanitizer; you must
explicitly declare attributes to be sanitized.
* 99 44/100 % pu...