Andreas/tracks
1
0
Fork 0
mirror of https://github.com/TracksApp/tracks.git synced 2026-01-24 09:46:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix reflected XSS vulnerabilities in some views

Browse source
This commit is contained in:
Jyri-Petteri Paloposki 2024-07-25 15:34:44 +03:00
parent c23ca0574e
commit b0d288d2ef
2 changed files with 10 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/todos_controller.rb
View file

@ -863,8 +863,10 @@ class TodosController < ApplicationController
end
@single_tag = @tag_expr.size == 1 && @tag_expr[0].size == 1
@tag_name = @tag_expr[0][0]
@tag_title = @single_tag ? @tag_name : tag_title(@tag_expr)
# These are used in the templates, sanitise to prevent XSS.
@tag_name = sanitize(@tag_expr[0][0])
@tag_title = sanitize(@single_tag ? @tag_name : tag_title(@tag_expr))
end
def filter_format_for_tag_view