:html formatter passes < symbols as is to resulting html, which may result in XSS vulnerability.
[2] pry(main)> Differ.diff_by_line("foo", "<script>alert(1)</script>").format_as(:html)
=> "<del class=\"differ\"><script>alert(1)</script></del><ins class=\"differ\">foo</ins>"
As Differ operates on strings, not HTML fragments, IMHO, it should escape chunks of these strings in resulting html.
Using differ 0.1.2.
:htmlformatter passes<symbols as is to resulting html, which may result in XSS vulnerability.As Differ operates on strings, not HTML fragments, IMHO, it should escape chunks of these strings in resulting html.
Using differ 0.1.2.