You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The first page is a html.erb while the second is a HAML variant. The source is here. The following is a snippet:
%pHAML: content_formarksinputashtml_safebutdoes not sanitizeit.
- content_for(:page_title){"</title><script>alert('Pawned')</script>;"}
- putscontent_for(:page_title)#=> prints unsanitized text marked as html_safe.
%p=content_for(:page_title)
Debugging reveals that content_for when used in HAML does not sanitize given input.
This issue is seen in HAML v1 & v2, Rails 4-6.
Not sure whether this should be reported here or on Rails. This issue is only seen when using HAML with rails.
The text was updated successfully, but these errors were encountered:
See the following pages:
https://content-for-rails.herokuapp.com/works
https://content-for-rails.herokuapp.com/fails
The text was updated successfully, but these errors were encountered: