Rails - May 2006 - Is sanitize() strong enough to protect me from XSS?

Haven''t been able to find a good enough answer on whether using
sanitize() is enough to really protect me from XSS attacks

I basically have a blog page that I want to allow people to display
comments on but would like to allow html tags to be posted on the
comments, these could html tags like the imageshack img tags, youtube
player, photobucket img tags etc

any other approaches or suggestions to this problem are appreciated!

thanks!

i use a combination of redcloth and sanitize to provide some protection while
also giving users some formatting options. has worked well to date. this is
from a ''comments'' partial:

<%=textilize( sanitize(c.description) )%>

redcloth:
http://whytheluckystiff.net/ruby/redcloth/

> Date: Thu, 4 May 2006 21:40:21 -0700
> From: "Francisco Hernandez" <lagcisco@gmail.com>
> Subject: [Rails] Is sanitize() strong enough to protect me from XSS?
> To: rails@lists.rubyonrails.org
> Message-ID:
> 	<a59a0d80605042140y295f4edex921365f9a60dfe4a@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> Haven''t been able to find a good enough answer on whether using
> sanitize() is enough to really protect me from XSS attacks
>
> I basically have a blog page that I want to allow people to display
> comments on but would like to allow html tags to be posted on the
> comments, these could html tags like the imageshack img tags, youtube
> player, photobucket img tags etc
>
> any other approaches or suggestions to this problem are appreciated!
>
> thanks!
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

I''m aware of what redcloth does but what does it do to the output
santize() returns that makes it safer?

On 5/4/06, jmcgrath@whoi.edu <jmcgrath@whoi.edu>
wrote:
> i use a combination of redcloth and sanitize to provide some protection
while
> also giving users some formatting options. has worked well to date. this is
> from a ''comments'' partial:
>
> <%=textilize( sanitize(c.description) )%>
>
> redcloth:
> http://whytheluckystiff.net/ruby/redcloth/
>
>
> > Date: Thu, 4 May 2006 21:40:21 -0700
> > From: "Francisco Hernandez" <lagcisco@gmail.com>
> > Subject: [Rails] Is sanitize() strong enough to protect me from XSS?
> > To: rails@lists.rubyonrails.org
> > Message-ID:
> >      
<a59a0d80605042140y295f4edex921365f9a60dfe4a@mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > Haven''t been able to find a good enough answer on whether
using
> > sanitize() is enough to really protect me from XSS attacks
> >
> > I basically have a blog page that I want to allow people to display
> > comments on but would like to allow html tags to be posted on the
> > comments, these could html tags like the imageshack img tags, youtube
> > player, photobucket img tags etc
> >
> > any other approaches or suggestions to this problem are appreciated!
> >
> > thanks!
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

nothing. you said you wanted xss protection, and to allow markup. sanitize for
safety, redcloth for markup. basic html (strong, emphasize) should still work
fine with redcloth, too.

the api is pretty straightforward about what sanitize does:
"Sanitizes the given HTML by making form and script tags into regular text,
and
removing all "onxxx" attributes (so that arbitrary Javascript cannot
be
executed). Also removes href attributes that start with "javascript:"
> Date: Fri, 5 May 2006 00:37:35 -0700
> From: "Francisco Hernandez" <lagcisco@gmail.com>
> Subject: Re: [Rails] Re: Is sanitize() strong enough to protect me
> 	from XSS?
> To: rails@lists.rubyonrails.org
> Message-ID:
> 	<a59a0d80605050037k39240dbaic268fd6a3a9e09e8@mail.gmail.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I''m aware of what redcloth does but what does it do to the output
> santize() returns that makes it safer?
>
> On 5/4/06, jmcgrath@whoi.edu <jmcgrath@whoi.edu> wrote:
> > i use a combination of redcloth and sanitize to provide some
protection
> while
> > also giving users some formatting options. has worked well to date.
this is
> > from a ''comments'' partial:
> >
> > <%=textilize( sanitize(c.description) )%>
> >
> > redcloth:
> > http://whytheluckystiff.net/ruby/redcloth/
> >
> >
> > > Date: Thu, 4 May 2006 21:40:21 -0700
> > > From: "Francisco Hernandez" <lagcisco@gmail.com>
> > > Subject: [Rails] Is sanitize() strong enough to protect me from
XSS?
> > > To: rails@lists.rubyonrails.org
> > > Message-ID:
> > >      
<a59a0d80605042140y295f4edex921365f9a60dfe4a@mail.gmail.com>
> > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> > >
> > > Haven''t been able to find a good enough answer on
whether using
> > > sanitize() is enough to really protect me from XSS attacks
> > >
> > > I basically have a blog page that I want to allow people to
display
> > > comments on but would like to allow html tags to be posted on the
> > > comments, these could html tags like the imageshack img tags,
youtube
> > > player, photobucket img tags etc
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

looks like this still doesn''t protect against having JS inside CSS on
IE

On 5/5/06, jmcgrath@whoi.edu <jmcgrath@whoi.edu>
wrote:
> nothing. you said you wanted xss protection, and to allow markup. sanitize
for
> safety, redcloth for markup. basic html (strong, emphasize) should still
work
> fine with redcloth, too.
>
> the api is pretty straightforward about what sanitize does:
> "Sanitizes the given HTML by making form and script tags into regular
text, and
> removing all "onxxx" attributes (so that arbitrary Javascript
cannot be
> executed). Also removes href attributes that start with
"javascript:"
>
> > Date: Fri, 5 May 2006 00:37:35 -0700
> > From: "Francisco Hernandez" <lagcisco@gmail.com>
> > Subject: Re: [Rails] Re: Is sanitize() strong enough to protect me
> >       from XSS?
> > To: rails@lists.rubyonrails.org
> > Message-ID:
> >      
<a59a0d80605050037k39240dbaic268fd6a3a9e09e8@mail.gmail.com>
> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> >
> > I''m aware of what redcloth does but what does it do to the
output
> > santize() returns that makes it safer?
> >
> > On 5/4/06, jmcgrath@whoi.edu <jmcgrath@whoi.edu> wrote:
> > > i use a combination of redcloth and sanitize to provide some
protection
> > while
> > > also giving users some formatting options. has worked well to
date. this is
> > > from a ''comments'' partial:
> > >
> > > <%=textilize( sanitize(c.description) )%>
> > >
> > > redcloth:
> > > http://whytheluckystiff.net/ruby/redcloth/
> > >
> > >
> > > > Date: Thu, 4 May 2006 21:40:21 -0700
> > > > From: "Francisco Hernandez"
<lagcisco@gmail.com>
> > > > Subject: [Rails] Is sanitize() strong enough to protect me
from XSS?
> > > > To: rails@lists.rubyonrails.org
> > > > Message-ID:
> > > >      
<a59a0d80605042140y295f4edex921365f9a60dfe4a@mail.gmail.com>
> > > > Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> > > >
> > > > Haven''t been able to find a good enough answer on
whether using
> > > > sanitize() is enough to really protect me from XSS attacks
> > > >
> > > > I basically have a blog page that I want to allow people to
display
> > > > comments on but would like to allow html tags to be posted
on the
> > > > comments, these could html tags like the imageshack img
tags, youtube
> > > > player, photobucket img tags etc
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> _______________________________________________
> Rails mailing list
> Rails@lists.rubyonrails.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>