Michael Koziarski: Switch to on-by-default XSS escaping for rails. This consists of:
String#html_safe! a method to mark a string as ‘safe’
ActionView::SafeBuffer a string subclass which escapes anything unsafe which is concatenated to it
Calls to String#html_safe! throughout the rails helpers
a 'raw’ helper which lets you concatenate trusted HTML from non-safety-aware sources (e.g. presantized strings in the DB)
New ERB implementation based on erubis which uses a SafeBuffer instead of a String
Not mentioned in the commit message, but for backwards compatibility, html_escape and h helpers still exist, but essentially do nothing. This change is also being backported to 2.3.
For existing applications, the changes needed will tend to be small and easily spotted. The biggest impact will be to books and tutorials. New users will either see what they perceive as line noise being emitted and wonder what they did wrong, or will follow instructions such as the following (from Edition 3) and wonder why it doesn’t work as advertised:
In general, try to get into the habit of typing <%=h … > in templates and then removing the h only when you’ve convinced yourself it’s safe to do so.
For new applications, this is all goodness. Do nothing in most cases. Add raw or sanitize only when needed. Edition 4 will be updated to reflect this advice.
It would be nice if I18n.t returned a SafeBuffer, the theory being that we are not looking to protect ourselves from whatever a developer puts into a YAML file. And if that is not sufficient to take care of the number_to_currency case, what that method returns should also be marked as safe.
Ticket 8894 remains an issue. At the very least, the inconsistencies leave an opening for XSS attacks. Example: submit_tag values are currently allowed through without escaping.
This seems to affect only output, while XSS protection should be (also) applied to input validation, in the form of not accepting any invalid content. Is that addressed anywhere with default-on?
That matters because output sanitizing is essentially blacklisting (escape any known unsafe character), while input validation can use whitelisting (accept only content known to be safe). The MySpace Samy attack was possible due to MySpace relying on blacklisting; the Antisamy project therefore relies on whitelist filtering.
It also matters because the binary safe/unsafe approach doesn’t seem to address the case where some HTML content is valid, but not all (the case for the blog comment).
Jörn: Rail’s output sanitizer is based on a white list. Only known tags, attributes, properties, etcs are allowed through.
I’ve collaborated in the past with Jacques on the sanitizer that that now is in Instiki... it would be nice if we can compare the two to see if there are any holes that one covers over the other and address them. Ideally, we can even converge the two.
Jörn: We have the sanitize method for handling the ‘some html allowed’ case. You tell it the tags and attributes which are allowed, and everything else is removed. The remaining string is considered safe for output.
It’s not as binary as it looks :)
Jacques: The atom feed helpers use builder which escapes everything as is.
TTMMHTM: Piano hacks, PHP and Ruby secured, Leisure Suit Larry in Canvas
Things that made me happy this morning. Changing a staircase into a massive piano makes 60% more people use it instead of the escalators – fun is the best way to make people use things. You can do vocoding with a Piano YQL meets SPARQL Kayak...
Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!...
This is what’s needed - make the devs life as simple as possible, whilst still allowing those who need to shoot themselves in the foot to do more work before pulling the trigger.
Тви: green_mouse и labria . RSS и сайт подкаста на RPod.ru Темы новостей: Ruby EE 1.8.7 RubyMine 2.0 beta R18n RMagick ищет нового мэйнтейнера RailsCasts: Include vs Join , Cropping images , Finding unused CSS RubyPulse Ruby screencast aggregator...
Тви: green_mouse и labria . RSS и сайт подкаста на RPod.ru Темы новостей: Ruby EE 1.8.7 RubyMine 2.0 beta R18n RMagick ищет нового мэйнтейнера RailsCasts: Include vs Join , Cropping images , Finding unused CSS RubyPulse Ruby screencast aggregator...
Sam Ruby: XSS Protection by Default in Rails 3.0 Thu 08 Oct 2009 at 14:16Michael Koziarski: Switch to on-by-default XSS escaping for rails. This consists of:String#html_safe! a method to mark a string as ‘safe’ActionView::SafeBuffer a string...