Big pass on escaping and urls #911
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before it was escaping everything passed to redirect and thus only using escape_path. But I need it all escaped so I can start making ../../ work.
I only ever wanted to use rack protection authenticity token and thought that is what I was doing. I now realize they include several by default unless you explicitly turn them off. Instead i'm just going to include what i want which is auth token stuff.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #901. Likely fixes all the rack protection issues people have. I realized that rack protection includes several things by default unless you exclude them. My bad. I thought I was only "use"-ing authenticity token. Hopefully this fixes some issues for others because now that is all I'm using.