workaround for CVE-2014-4920

app/helpers/application_helper.rb

@@ -164,7 +164,14 @@ module ApplicationHelper
       :target => "_blank"
   end
   
-  def bootstrap_flash
+  # Returns flash messages html.
+  #
+  # Use this instead of twitter-bootstrap's +bootstrap_flash+ method for safety, until
+  # CVE-2014-4920 is fixed.
+  #
+  # @return [String] Flash message html.
+  # @see http://blog.nvisium.com/2014/03/reflected-xss-vulnerability-in-twitter.html
+  def bootstrap_flash_patched
     flash_messages = []
     flash.each do |type, message|
       type = :success if type == :notice

app/views/layouts/application.html.haml

@@ -32,7 +32,7 @@
         .span3
           = yield(:sidebar)
         .span9
-          = bootstrap_flash
+          = bootstrap_flash_patched
           - if content_for?(:actionbar)
             .btn-toolbar.pull-right= yield(:actionbar)
           - if show_title?
@@ -40,7 +40,7 @@
               %h1= yield(:title)
           = yield
       - else
-        = bootstrap_flash
+        = bootstrap_flash_patched
         - if content_for?(:actionbar)
           .btn-toolbar.pull-right= yield(:actionbar)
         - if show_title?

app/views/layouts/login.html.haml

@@ -2,7 +2,7 @@
   .container
     .row
       .span6.offset3
-        = bootstrap_flash
+        = bootstrap_flash_patched
         - if show_title?
           .page-header
             %h1= yield(:title)