security hole fixed

2025-05-21 18:12:32 +08:00 · 2013-02-11 17:28:21 +11:00
parent 1c12c91d0c
commit 80929ead4b
1 changed files with 4 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -76,7 +76,10 @@ class ApplicationController < ActionController::Base

  def store_preloaded(key, json)
    @preloaded ||= {}
-    @preloaded[key] = json
+    # I dislike that there is a gsub as opposed to a gsub! 
+    #  but we can not be mucking with user input, I wonder if there is a way 
+    #  to inject this safty deeper in the library or even in AM serializer
+    @preloaded[key] = json.gsub("</", "<\\/")
  end

  # If we are rendering HTML, preload the session data