Skip to content

Humanize should escape HTML input #2

Open
Open
Humanize should escape HTML input#2
@sirn

Description

@sirn
sirn
opened on Apr 16, 2012

Currently Humanize doesn't do any HTML escaping; any input contains HTML fragment could get executed on the page.

=> Humanize.truncatechars("<script>alert('yo');<\/script>", 30)
   "<script>alert('yo');</script>"

=> Humanize.linebreaks("<script>alert('yo');<\/script>")
   "<p><script>alert('yo');</script></p>"

If this library is used for rendering untrusted user input (such as comments) things won't be pretty. To protect some poor soul from using this little nice library without knowing such implication, I believe Humanize should escape HTML input by default with optional parameter to disable it (if you however decide this is not the job of JS-Humanize, I think there should be a note about this behavior somewhere, in bold, red, large text but that's likely never enough ;)

Either way, nice work!

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions