log_escaping.diff

check_for_escaping_issues.sh

#!/bin/sh

wget -O - --save-cookies cookies.txt --post-data "save_login=1&email=EMAIL&password=PASSWORD" http://SITE/session > /dev/null
wget -r -l 1 --spider --save-cookies cookies.txt --load-cookies cookies.txt http://SITE/home

gistfile1.txt

diff --git a/app/controllers/website_base_controller.rb b/app/controllers/website_base_controller.rb
index 9714804..f10da0a 100644
--- a/app/controllers/website_base_controller.rb
+++ b/app/controllers/website_base_controller.rb
@@ -8,7 +8,7 @@ class WebsiteBaseController < ApplicationController
                  :save_return_to_url, :enforce_ip_bans] # For optimization of ajax
 
   # See ActionController::RequestForgeryProtection for details
-  protect_from_forgery
+  # protect_from_forgery
 
   include AdSystem
 
diff --git a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb
index ae21705..83108d1 100644
--- a/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb
+++ b/vendor/plugins/rails_xss/lib/rails_xss/string_ext.rb
@@ -5,6 +5,18 @@ ActiveSupport::SafeBuffer.class_eval do
     if value.html_safe?
       super(value)
     else
+      if ERB::Util.h(value) != value
+        line = caller.find { |l| l =~ /app\/views/ }
+        $lines_with_issues ||= []
+        unless $lines_with_issues.include?(line)
+          $lines_with_issues << line
+          File.open(File.join(RAILS_ROOT, "log", "html_escaping.log"), "a") do |f| 
+            f.puts "escaping text #{value.inspect} => #{ERB::Util.h(value).inspect}"
+            f.puts line
+            f.puts '-'*80
+          end
+        end
+      end
       super(ERB::Util.h(value))
     end
   end