Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

security hole fixed

This commit is contained in:
Sam Saffron 2013-02-11 17:28:21 +11:00
parent 1c12c91d0c
commit 80929ead4b
1 changed files with 4 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/application_controller.rb
View File

@ -76,7 +76,10 @@ class ApplicationController < ActionController::Base
def store_preloaded(key, json)
@preloaded ||= {}
@preloaded[key] = json
# I dislike that there is a gsub as opposed to a gsub!
# but we can not be mucking with user input, I wonder if there is a way
# to inject this safty deeper in the library or even in AM serializer
@preloaded[key] = json.gsub("</", "<\\/")
end
# If we are rendering HTML, preload the session data