security hole fixed

This commit is contained in:
Sam Saffron 2013-02-11 17:28:21 +11:00
parent 1c12c91d0c
commit 80929ead4b

View File

@ -76,7 +76,10 @@ class ApplicationController < ActionController::Base
def store_preloaded(key, json)
@preloaded ||= {}
@preloaded[key] = json
# I dislike that there is a gsub as opposed to a gsub!
# but we can not be mucking with user input, I wonder if there is a way
# to inject this safty deeper in the library or even in AM serializer
@preloaded[key] = json.gsub("</", "<\\/")
end
# If we are rendering HTML, preload the session data