XSS vulnerability closed
Just a quick notice that Dress to Impress had an XSS vulnerability in the Infinite Closet section, which has since been resolved. We have no evidence of anyone abusing this vulnerability, nor would they would have been able to access sensitive account data, regardless.
If you’re interested, here’s the source code change that fixed the security issue. Short and sweet one-liner, escaping query output. Funny, because this is usually the first place I check when someone asks me to check their site for security issues xD I think I forgot that the Markdown interpolation doesn’t do escaping by default, like interpolation in most other spots in Rails 3.
TL;DR: Minor security hole fixed. It doesn’t look like anyone used it, nor would it have done them much good.
Thanks for using Dress to Impress!
—Matchu
