From 8af95909c2c1320a13ea930674d4bbf3bb3f7a3f Mon Sep 17 00:00:00 2001 From: Raphael Sofaer Date: Thu, 7 Jul 2011 21:54:34 -0700 Subject: [PATCH] escape js in format_tags until I can think about whether we have an XSS problem in the morning --- lib/diaspora/taggable.rb | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/diaspora/taggable.rb b/lib/diaspora/taggable.rb index 7c3ab66bd..99fbf1b8a 100644 --- a/lib/diaspora/taggable.rb +++ b/lib/diaspora/taggable.rb @@ -4,6 +4,7 @@ module Diaspora module Taggable + extend ActionView::Helpers::JavaScriptHelper VALID_TAG_BODY = /[^_,\s#*\[\]()\@\/"'\.%]+\b/ def self.included(model) @@ -39,7 +40,7 @@ module Diaspora def self.format_tags(text, opts={}) return text if opts[:plain_text] regex = /(^|\s)#(#{VALID_TAG_BODY})/ - form_message = text.gsub(regex) do |matched_string| + form_message = escape_javascript(text).gsub(regex) do |matched_string| "#{$~[1]}##{$~[2]}" end form_message.html_safe