-
Mario de la Ossa authored
We were allowing users to store XSS in `#data_attributes_for` by not dealing with HTML Entities. We now escape HTML entities out, thus fixing the problem.
aa0e9b33
We were allowing users to store XSS in `#data_attributes_for` by not dealing with HTML Entities. We now escape HTML entities out, thus fixing the problem.