Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can´t use: [:escaped_params] ? #1615

Closed
baelter opened this issue May 19, 2020 · 3 comments · Fixed by #1632
Closed

Can´t use: [:escaped_params] ? #1615

baelter opened this issue May 19, 2020 · 3 comments · Fixed by #1632

Comments

@baelter
Copy link
Contributor

baelter commented May 19, 2020

Shouldn't :escaped_params be added here: https://github.com/sinatra/sinatra/blob/master/rack-protection/lib/rack/protection.rb#L33 ??
@dentarg
Copy link
Member

dentarg commented May 19, 2020

Seems like it is intentionally not included by use Rack::Protection, if that's what you mean: https://github.com/sinatra/sinatra/blob/v2.0.8.1/rack-protection/README.md#cross-site-request-forgery

A bit hard to follow, but I think background for that exist in

@baelter
Copy link
Contributor Author

baelter commented May 20, 2020

I'm down with that, but it can't be activated with

set(:protection, use: [:escaped_params], escape: [:html]

Bonus quirk: the escape options passed above are used if I activate it with

use Rack::Protection::EscapedParams

@jkowens
Copy link
Member

jkowens commented Aug 11, 2020

@baelter I think you are correct, it should be added there and off by default. Can you send up a PR to do that?

@baelter baelter mentioned this issue Aug 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Enable EscapedParams if passed via settings baelter/sinatra
3 participants
@dentarg @jkowens @baelter