XSS in url_for(params)
Click the feed icon at the top, and you'll get an alert box
We need to:
- Audit all current uses of
url_forwhere we modify params.
- Replace those with a
- Either add a RuboCop rule for
url_forwithout the argument being
safe_params, or create a follow-up issue.
Because of !18241 (merged), the patch will be slightly different for 10.7 and below to 10.8 and above.