comments right now accept image tags

[justin808]

Somebody put in this comment at

http://www.reactrails.com/

<div class="comment" data-reactid=".0.0.2.$41"><h2 class="comment-author" data-reactid=".0.0.2.$41.0">123</h2><span data-reactid=".0.0.2.$41.1"><p><img src="" onerror="alert(1)"></p>
</span></div>

@mbreining we need to change the demo so that that HTML tags are stripped. In fact, they might be and this may have been entered on the rails side. In any case, any HTML tags should be escaped before display. @Dgrafmyre you can take a quick look at this as well. Might be fun to fix.

[justin808]

[justin808]

Deleted the offending records by running this in the console.

Comment.where("text like '%<%'").delete_all

However, the comment field should store anything in there.

Need to fix the ReactJs code so that it sanitizes the html tags before displaying them.

[justin808]

This was fixed and deployed some time ago.