Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I''m using Tilt with Haml templates. Any idea how I can set Haml''s :escape_html option so each template escapes all HTML within variables? -- Dave
For cross-site request forgery protection I''ve simply used the
Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
The github page is pretty self explanatory.
For Haml, you should just be able to set its :escape_html option to
true and then
%p= @something_nasty
will be escaped by default. See:
http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option
for more info.
Best,
Ted
On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com>
wrote:> Hey guys,
>
> What do people do to protect against cross-site request forgery? To
> mimic what rails does I was thinking of creating a unique key for each
> session, and then in my logged_in? helper checking if the key passed
> by the user matches the one I set in the session.
>
> On the second question, I''m using Tilt with Haml templates. Any
idea
> how I can set Haml''s :escape_html option so each template escapes
all
> HTML within variables?
>
> --
> Dave
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>
Thanks I''ll look into the middleware. I know that''s how you escape HTML in Haml, what am asking though is how you set the :escape_html option when all you have is an instance of Tilt. Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote:> For cross-site request forgery protection I''ve simply used the > Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). > The github page is pretty self explanatory. > > For Haml, you should just be able to set its :escape_html option to > true and then > > ? ?%p= @something_nasty > > will be escaped by default. See: > > http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option > > for more info. > > Best, > Ted > > On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >> Hey guys, >> >> What do people do to protect against cross-site request forgery? To >> mimic what rails does I was thinking of creating a unique key for each >> session, and then in my logged_in? helper checking if the key passed >> by the user matches the one I set in the session. >> >> On the second question, I''m using Tilt with Haml templates. Any idea >> how I can set Haml''s :escape_html option so each template escapes all >> HTML within variables? >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >-- Dave
David,
As far as I remember, this should work:
module App
set :haml, { :escape_html => true }
end
You set options (as specified in
http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by:
set :EXTENSION, { :a=> true, :b => false }
// Magnus Holm
On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com>
wrote:> Thanks I''ll look into the middleware.
>
> I know that''s how you escape HTML in Haml, what am asking though
is
> how you set the :escape_html option when all you have is an instance
> of Tilt.
>
> Dave
>
> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com>
wrote:
>> For cross-site request forgery protection I''ve simply used the
>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
>> The github page is pretty self explanatory.
>>
>> For Haml, you should just be able to set its :escape_html option to
>> true and then
>>
>> ? ?%p= @something_nasty
>>
>> will be escaped by default. See:
>>
>>
http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option
>>
>> for more info.
>>
>> Best,
>> Ted
>>
>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com>
wrote:
>>> Hey guys,
>>>
>>> What do people do to protect against cross-site request forgery? To
>>> mimic what rails does I was thinking of creating a unique key for
each
>>> session, and then in my logged_in? helper checking if the key
passed
>>> by the user matches the one I set in the session.
>>>
>>> On the second question, I''m using Tilt with Haml
templates. Any idea
>>> how I can set Haml''s :escape_html option so each template
escapes all
>>> HTML within variables?
>>>
>>> --
>>> Dave
>>> _______________________________________________
>>> Camping-list mailing list
>>> Camping-list at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/camping-list
>>>
>> _______________________________________________
>> Camping-list mailing list
>> Camping-list at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/camping-list
>>
>
>
>
> --
> Dave
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>
Thanks, that did the trick. Got to comb through my templates now though :P. On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote:> David, > > As far as I remember, this should work: > > ?module App > ? ?set :haml, { :escape_html => true } > ?end > > You set options (as specified in > http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: > > ?set :EXTENSION, { :a=> true, :b => false } > > // Magnus Holm > > > > On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >> Thanks I''ll look into the middleware. >> >> I know that''s how you escape HTML in Haml, what am asking though is >> how you set the :escape_html option when all you have is an instance >> of Tilt. >> >> Dave >> >> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>> For cross-site request forgery protection I''ve simply used the >>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>> The github page is pretty self explanatory. >>> >>> For Haml, you should just be able to set its :escape_html option to >>> true and then >>> >>> ? ?%p= @something_nasty >>> >>> will be escaped by default. See: >>> >>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>> >>> for more info. >>> >>> Best, >>> Ted >>> >>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>> Hey guys, >>>> >>>> What do people do to protect against cross-site request forgery? To >>>> mimic what rails does I was thinking of creating a unique key for each >>>> session, and then in my logged_in? helper checking if the key passed >>>> by the user matches the one I set in the session. >>>> >>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>> how I can set Haml''s :escape_html option so each template escapes all >>>> HTML within variables? >>>> >>>> -- >>>> Dave >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> >> >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list-- Dave
Great; sorry for the delay, but I''ve been here in the last days :-) http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg // Magnus Holm On Tue, Aug 10, 2010 at 22:50, David Susco <dsusco at gmail.com> wrote:> Thanks, that did the trick. Got to comb through my templates now though :P. > > On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote: >> David, >> >> As far as I remember, this should work: >> >> ?module App >> ? ?set :haml, { :escape_html => true } >> ?end >> >> You set options (as specified in >> http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: >> >> ?set :EXTENSION, { :a=> true, :b => false } >> >> // Magnus Holm >> >> >> >> On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >>> Thanks I''ll look into the middleware. >>> >>> I know that''s how you escape HTML in Haml, what am asking though is >>> how you set the :escape_html option when all you have is an instance >>> of Tilt. >>> >>> Dave >>> >>> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>>> For cross-site request forgery protection I''ve simply used the >>>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>>> The github page is pretty self explanatory. >>>> >>>> For Haml, you should just be able to set its :escape_html option to >>>> true and then >>>> >>>> ? ?%p= @something_nasty >>>> >>>> will be escaped by default. See: >>>> >>>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>>> >>>> for more info. >>>> >>>> Best, >>>> Ted >>>> >>>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>>> Hey guys, >>>>> >>>>> What do people do to protect against cross-site request forgery? To >>>>> mimic what rails does I was thinking of creating a unique key for each >>>>> session, and then in my logged_in? helper checking if the key passed >>>>> by the user matches the one I set in the session. >>>>> >>>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>>> how I can set Haml''s :escape_html option so each template escapes all >>>>> HTML within variables? >>>>> >>>>> -- >>>>> Dave >>>>> _______________________________________________ >>>>> Camping-list mailing list >>>>> Camping-list at rubyforge.org >>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>> >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> >>> >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
Now that looks like a fun climb. =) Dave On Tue, Aug 10, 2010 at 5:25 PM, Magnus Holm <judofyr at gmail.com> wrote:> Great; sorry for the delay, but I''ve been here in the last days :-) > > http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg > > // Magnus Holm > > > > On Tue, Aug 10, 2010 at 22:50, David Susco <dsusco at gmail.com> wrote: >> Thanks, that did the trick. Got to comb through my templates now though :P. >> >> On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote: >>> David, >>> >>> As far as I remember, this should work: >>> >>> ?module App >>> ? ?set :haml, { :escape_html => true } >>> ?end >>> >>> You set options (as specified in >>> http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: >>> >>> ?set :EXTENSION, { :a=> true, :b => false } >>> >>> // Magnus Holm >>> >>> >>> >>> On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >>>> Thanks I''ll look into the middleware. >>>> >>>> I know that''s how you escape HTML in Haml, what am asking though is >>>> how you set the :escape_html option when all you have is an instance >>>> of Tilt. >>>> >>>> Dave >>>> >>>> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>>>> For cross-site request forgery protection I''ve simply used the >>>>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>>>> The github page is pretty self explanatory. >>>>> >>>>> For Haml, you should just be able to set its :escape_html option to >>>>> true and then >>>>> >>>>> ? ?%p= @something_nasty >>>>> >>>>> will be escaped by default. See: >>>>> >>>>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>>>> >>>>> for more info. >>>>> >>>>> Best, >>>>> Ted >>>>> >>>>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>>>> Hey guys, >>>>>> >>>>>> What do people do to protect against cross-site request forgery? To >>>>>> mimic what rails does I was thinking of creating a unique key for each >>>>>> session, and then in my logged_in? helper checking if the key passed >>>>>> by the user matches the one I set in the session. >>>>>> >>>>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>>>> how I can set Haml''s :escape_html option so each template escapes all >>>>>> HTML within variables? >>>>>> >>>>>> -- >>>>>> Dave >>>>>> _______________________________________________ >>>>>> Camping-list mailing list >>>>>> Camping-list at rubyforge.org >>>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>>> >>>>> _______________________________________________ >>>>> Camping-list mailing list >>>>> Camping-list at rubyforge.org >>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>> >>>> >>>> >>>> >>>> -- >>>> Dave >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >> >> >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list-- Dave
Ted, Do you use Camping::Session with Rack::Csrf? If so, how did you get it to work? Once I include Camping::Session the csrf_token changes every time I call the method. Can anyone explain what include Camping::Session is actually doing? Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote:> For cross-site request forgery protection I''ve simply used the > Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). > The github page is pretty self explanatory. > > For Haml, you should just be able to set its :escape_html option to > true and then > > ? ?%p= @something_nasty > > will be escaped by default. See: > > http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option > > for more info. > > Best, > Ted > > On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >> Hey guys, >> >> What do people do to protect against cross-site request forgery? To >> mimic what rails does I was thinking of creating a unique key for each >> session, and then in my logged_in? helper checking if the key passed >> by the user matches the one I set in the session. >> >> On the second question, I''m using Tilt with Haml templates. Any idea >> how I can set Haml''s :escape_html option so each template escapes all >> HTML within variables? >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >-- Dave
Dave, Unfortunately I''ve actually not yet used Rack::Csrf with Camping. In Sinatra, I just: use Rack::Session::Cookie, :secret => "something" use Rack::Csrf and it works fine. Looking at Camping''s source for Camping::Session, it looks like it''s basically doing the same (http://github.com/camping/camping/blob/master/lib/camping/session.rb#L32). The csrf_token shouldn''t be changing every time, as Rack::Csrf is storing it in your session. Can you verify that "rack.session" is present in your session. Ted On Wed, Aug 11, 2010 at 2:33 PM, David Susco <dsusco at gmail.com> wrote:> Ted, > > Do you use Camping::Session with Rack::Csrf? If so, how did you get it > to work? Once I include Camping::Session the csrf_token changes every > time I call the method. > > Can anyone explain what include Camping::Session is actually doing? > > Dave > > On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >> For cross-site request forgery protection I''ve simply used the >> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >> The github page is pretty self explanatory. >> >> For Haml, you should just be able to set its :escape_html option to >> true and then >> >> ? ?%p= @something_nasty >> >> will be escaped by default. See: >> >> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >> >> for more info. >> >> Best, >> Ted >> >> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>> Hey guys, >>> >>> What do people do to protect against cross-site request forgery? To >>> mimic what rails does I was thinking of creating a unique key for each >>> session, and then in my logged_in? helper checking if the key passed >>> by the user matches the one I set in the session. >>> >>> On the second question, I''m using Tilt with Haml templates. Any idea >>> how I can set Haml''s :escape_html option so each template escapes all >>> HTML within variables? >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
This example worked here:
require ''rubygems''
require ''rack/csrf''
require ''camping''
require ''camping/session''
Camping.goes :Hello
module Hello
use Rack::Csrf
include Camping::Session
end
module Hello::Controllers
class Index
def get
Rack::Csrf.csrf_token(@env)
end
end
end
Notice that you''ll have to reverse the `use`-lines. Maybe we should
file that as a bug? Since it works the other way both in Rackup files
and Sinatra?
// Magnus Holm
On Wed, Aug 11, 2010 at 21:33, David Susco <dsusco at gmail.com>
wrote:> Ted,
>
> Do you use Camping::Session with Rack::Csrf? If so, how did you get it
> to work? Once I include Camping::Session the csrf_token changes every
> time I call the method.
>
> Can anyone explain what include Camping::Session is actually doing?
>
> Dave
>
> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com>
wrote:
>> For cross-site request forgery protection I''ve simply used the
>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
>> The github page is pretty self explanatory.
>>
>> For Haml, you should just be able to set its :escape_html option to
>> true and then
>>
>> ? ?%p= @something_nasty
>>
>> will be escaped by default. See:
>>
>>
http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option
>>
>> for more info.
>>
>> Best,
>> Ted
>>
>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com>
wrote:
>>> Hey guys,
>>>
>>> What do people do to protect against cross-site request forgery? To
>>> mimic what rails does I was thinking of creating a unique key for
each
>>> session, and then in my logged_in? helper checking if the key
passed
>>> by the user matches the one I set in the session.
>>>
>>> On the second question, I''m using Tilt with Haml
templates. Any idea
>>> how I can set Haml''s :escape_html option so each template
escapes all
>>> HTML within variables?
>>>
>>> --
>>> Dave
>>> _______________________________________________
>>> Camping-list mailing list
>>> Camping-list at rubyforge.org
>>> http://rubyforge.org/mailman/listinfo/camping-list
>>>
>> _______________________________________________
>> Camping-list mailing list
>> Camping-list at rubyforge.org
>> http://rubyforge.org/mailman/listinfo/camping-list
>>
>
>
>
> --
> Dave
> _______________________________________________
> Camping-list mailing list
> Camping-list at rubyforge.org
> http://rubyforge.org/mailman/listinfo/camping-list
>