It’s just data

XSS Protection by Default in Rails 3.0

P P

Michael Koziarski: Switch to on-by-default XSS escaping for rails.  This consists of:

Not mentioned in the commit message, but for backwards compatibility, html_escape and h helpers still exist, but essentially do nothing.  This change is also being backported to 2.3.

For existing applications, the changes needed will tend to be small and easily spotted.  The biggest impact will be to books and tutorials.  New users will either see what they perceive as line noise being emitted and wonder what they did wrong, or will follow instructions such as the following (from Edition 3) and wonder why it doesn’t work as advertised:

In general, try to get into the habit of typing <%=h … > in templates and then removing the h only when you’ve convinced yourself it’s safe to do so.

For new applications, this is all goodness.  Do nothing in most cases.  Add raw or sanitize only when needed. Edition 4 will be updated to reflect this advice.


Notes for discussion, based on changes:

Posted by Sam Ruby at

XSS Protection by Default in Rails 3.0 . Fantastic news—congratulations, Rails core team....

Excerpt from Simon Willison's Weblog at

I like it, Django does the same thing and it works great... a bit of a mindset switch but a safer default in general is a good thing

Posted by Jaap at

Hmmm.

From the looks of the built-in sanitizer, this is quite inadequate to sanitizing inline SVG (for instance).

Also, do I understand correctly that while ERB templates will be sanitized, Atom feeds (using builder or the Atom helper) will not?

Perhaps the best thing to do (after much investment in Instiki’s sanitizer) is to mark the strings it outputs as html_safe!  ?

Posted by Jacques Distler at

Simon Willison : XSS Protection by Default in Rails 3.0 - XSS Protection by Default in Rails 3.0. Fantastic news—congratulations, Rails core team....

Excerpt from HotLinks - Level 1 at

This seems to affect only output, while XSS protection should be (also) applied to input validation, in the form of not accepting any invalid content. Is that addressed anywhere with default-on?

That matters because output sanitizing is essentially blacklisting (escape any known unsafe character), while input validation can use whitelisting (accept only content known to be safe). The MySpace Samy attack was possible due to MySpace relying on blacklisting; the Antisamy project therefore relies on whitelist filtering.

It also matters because the binary safe/unsafe approach doesn’t seem to address the case where some HTML content is valid, but not all (the case for the blog comment).

Posted by Jörn Zaefferer at

Jörn: Rail’s output sanitizer is based on a white list.  Only known tags, attributes, properties, etcs are allowed through.

I’ve collaborated in the past with Jacques on the sanitizer that that now is in Instiki... it would be nice if we can compare the two to see if there are any holes that one covers over the other and address them.  Ideally, we can even converge the two.

Posted by Sam Ruby at

Jörn: We have the sanitize method for handling the ‘some html allowed’ case.  You tell it the tags and attributes which are allowed, and everything else is removed.  The remaining string is considered safe for output.

It’s not as binary as it looks :)

Jacques: The atom feed helpers use builder which escapes everything as is.

Posted by Michael Koziarski at

Jacques: The atom feed helpers use builder which escapes everything as is.

Probably I am misunderstanding something. What happens when you set :type => 'xhtml' ?

Posted by Jacques Distler at

[from josephgrossberg] Sam Ruby: XSS Protection by Default in Rails 3.0

[link]...

Excerpt from Delicious/network/flangy at

submitted by gst [link] [comment]...

Excerpt from reddit for ruby hackers at

TTMMHTM: Piano hacks, PHP and Ruby secured, Leisure Suit Larry in Canvas

Things that made me happy this morning. Changing a staircase into a massive piano makes 60% more people use it instead of the escalators – fun is the best way to make people use things. You can do vocoding with a Piano YQL meets SPARQL Kayak...

Excerpt from Wait till I come! at

ruby: Sam Ruby: XSS Protection by Default in Rails 3.0

Sam Ruby: XSS Protection by Default in Rails 3.0 # Rails3 # Views # Security # Rails # Erb # Xss # Rubyonrails...

Excerpt from Wszyscy / zawierajace #rubyonrails at

Best of Application Security (Friday, Oct. 9)

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Regularly released until year end. Then the Best of Application Security 2009 will be selected!...

Excerpt from Jeremiah Grossman at

You guys rock!

This is what’s needed - make the devs life as simple as possible, whilst still allowing those who need to shoot themselves in the foot to do more work before pulling the trigger.

Awesome. Now for PHP.

thanks,
Andrew

Posted by Andrew van der Stock at

Ruby / [PODCAST] Ruby NoName Podcast #21

Тви: green_mouse и labria . RSS и сайт подкаста на RPod.ru Темы новостей: Ruby EE 1.8.7 RubyMine 2.0 beta R18n RMagick ищет нового мэйнтейнера RailsCasts: Include vs Join , Cropping images , Finding unused CSS RubyPulse Ruby screencast aggregator...

Excerpt from Хабрахабр: at

Ruby NoName Podcast #21

Тви: green_mouse и labria . RSS и сайт подкаста на RPod.ru Темы новостей: Ruby EE 1.8.7 RubyMine 2.0 beta R18n RMagick ищет нового мэйнтейнера RailsCasts: Include vs Join , Cropping images , Finding unused CSS RubyPulse Ruby screencast aggregator...

Excerpt from Ruby NoName Podcast - RussianPodcasting.ru at

Gregory Man, Dimitri Krassovski: Ruby NoName Podcast #21

Тви: green_mouse и labria.

<a

...

Excerpt from Ruby on Rails в России at

Sam Ruby: XSS Protection by Default in Rails 3.0

Sam Ruby: XSS Protection by Default in Rails 3.0 Thu 08 Oct 2009 at 14:16Michael Koziarski: Switch to on-by-default XSS escaping for rails.  This consists of:String#html_safe! a method to mark a string as ‘safe’ActionView::SafeBuffer a string...

Excerpt from into_the_blueのブックマーク / xss (42) at

Add your comment