@vitobotta.com on Bluesky

JavaScript RequiredThis is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is. Learn more about Bluesky at bsky.social and atproto.com.

Post

Vito Botta

vitobotta.com

did:plc:fw6vwfuptwdbfgx2jvoi4igb

CVE-2026-33170 is fascinating because it breaks Rails' own XSS protection system. SafeBuffer#% operator fails to propagate the html_unsafe flag when creating new buffers, so content that should be escaped gets marked as safe. 1/2

2026-04-10T21:54:47.497Z