- 9mo ·
-
Public·
-
mastodon.social
Investigation is a huge pain, and the scope of the problems sometimes makes the process cumbersome and demoralizing. Let's take an example: https://discuss.rubyonrails.org/t/possible-xss-vulnerability-in-action-controller/84947
For your app to be vulnerable to this, you have to
* call `translate` from a controller
* use a translation key that ends in "_html"
* use a translation default where the default translation text is untrusted text
* be missing the specific translation
* Trick a victim in to seeing this