Our usage of Rails and markup rendering pipelines allows us to escape untrusted data by default during HTML rendering. However, there are always edge cases that could pop up. Read Rails’ security guide about XSS for more specific examples.
github.com domain. Additionally, we set the
X-XSS-Protection header to instruct the browsers to activate proactive XSS mitigation. To prevent an XSS exploit from compromising user sessions, access to sensitive cookies is disallowed by settings the
More about cross-site scripting vulnerabilities from OWASP’s Top 10:
XSS is the most prevalent web application security flaw. XSS flaws occur when an application includes user supplied data in a page sent to the browser without properly validating or escaping that content. There are three known types of XSS flaws: 1) Stored, 2) Reflected, and 3) DOM based XSS.
|1||200 pts Kieran Huggins XSS in flight-manual.atom.io|
|2||1000 pts Arjun V Organization creation self-XSS|
|3||2500 pts xpn XSS in GitHub Desktop|
|4||3000 pts Aleksandr Dobkinimg src404 onerroralert(document.domain) Cross-site scripting in task lists|
|5||1500 pts Aleksandr Dobkinimg src404 onerroralert(document.domain) Cross-site scripting in Markdown API|