Foodsoft
/
foodsoft
1
1
Fork 0
Code Issues 36 Pull Requests 5 Projects 1 Releases Wiki Activity

workaround for CVE-2014-4920

This commit is contained in:
wvengen 2014-09-10 13:27:45 +02:00
parent 3f3d7c4e3b
commit f18cc367ae
3 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
app/helpers/application_helper.rb
View File

@ -164,7 +164,14 @@ module ApplicationHelper
:target => "_blank" :target => "_blank"
end end
def bootstrap_flash # Returns flash messages html.
#
# Use this instead of twitter-bootstrap's +bootstrap_flash+ method for safety, until
# CVE-2014-4920 is fixed.
#
# @return [String] Flash message html.
# @see http://blog.nvisium.com/2014/03/reflected-xss-vulnerability-in-twitter.html
def bootstrap_flash_patched
flash_messages = [] flash_messages = []
flash.each do |type, message| flash.each do |type, message|
type = :success if type == :notice type = :success if type == :notice

4
app/views/layouts/application.html.haml
View File

@ -32,7 +32,7 @@
.span3 .span3
= yield(:sidebar) = yield(:sidebar)
.span9 .span9
= bootstrap_flash = bootstrap_flash_patched
- if content_for?(:actionbar) - if content_for?(:actionbar)
.btn-toolbar.pull-right= yield(:actionbar) .btn-toolbar.pull-right= yield(:actionbar)
- if show_title? - if show_title?
@ -40,7 +40,7 @@
%h1= yield(:title) %h1= yield(:title)
= yield = yield
- else - else
= bootstrap_flash = bootstrap_flash_patched
- if content_for?(:actionbar) - if content_for?(:actionbar)
.btn-toolbar.pull-right= yield(:actionbar) .btn-toolbar.pull-right= yield(:actionbar)
- if show_title? - if show_title?

2
app/views/layouts/login.html.haml
View File

@ -2,7 +2,7 @@
.container .container
.row .row
.span6.offset3 .span6.offset3
= bootstrap_flash = bootstrap_flash_patched
- if show_title? - if show_title?
.page-header .page-header
%h1= yield(:title) %h1= yield(:title)