Investigation is a huge pain, and the scope of the problems sometimes makes the process cumbersome and demoralizing. Let's take an example: discuss.rubyonrails.org/t/poss

For your app to be vulnerable to this, you have to

* call `translate` from a controller
* use a translation key that ends in "_html"
* use a translation default where the default translation text is untrusted text
* be missing the specific translation
* Trick a victim in to seeing this

1
Share
Share on Mastodon
Share on Twitter
Share on Facebook
Share on Linkedin
Aaron Patterson ✅

If you think about this situation as a funnel, the number of apps that are vulnerable to this particular security issue is probably 0. But is it a security issue? Yes.

The ratio of "amount of required effort" (which includes risk of messing up the release) vs "actual impact on the world" is extremely off. "Why do I have to do all this effort / paperwork for something as minor as this?" is what I say to myself.

3
9mo
Replies