It looks like you're new here. If you want to get involved, click one of these buttons!
Here is a problematic example:
<% user_title = '<script>alert("foo");</script>' %> <th scope="row" class="js-tooltip" title="<%= user_title %>" data-tipped-options="position: 'topleft'">
Rails escapes HTML characters, but it appears that Tipped unescapes them. For example, this will be executed, as well:
<img src="nope" onerror="alert('xss')">
In order to use Tipped, we have to double-escape user-supplied strings in Ruby. I was hoping there's a global option to turn off un-escaping, but I'm not seeing anything in the docs.
Alternatively, is there an easier solution that I'm missing?