Hey guys, What do people do to protect against cross-site request forgery? To mimic what rails does I was thinking of creating a unique key for each session, and then in my logged_in? helper checking if the key passed by the user matches the one I set in the session. On the second question, I''m using Tilt with Haml templates. Any idea how I can set Haml''s :escape_html option so each template escapes all HTML within variables? -- Dave
For cross-site request forgery protection I''ve simply used the Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). The github page is pretty self explanatory. For Haml, you should just be able to set its :escape_html option to true and then %p= @something_nasty will be escaped by default. See: http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option for more info. Best, Ted On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote:> Hey guys, > > What do people do to protect against cross-site request forgery? To > mimic what rails does I was thinking of creating a unique key for each > session, and then in my logged_in? helper checking if the key passed > by the user matches the one I set in the session. > > On the second question, I''m using Tilt with Haml templates. Any idea > how I can set Haml''s :escape_html option so each template escapes all > HTML within variables? > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
Thanks I''ll look into the middleware. I know that''s how you escape HTML in Haml, what am asking though is how you set the :escape_html option when all you have is an instance of Tilt. Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote:> For cross-site request forgery protection I''ve simply used the > Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). > The github page is pretty self explanatory. > > For Haml, you should just be able to set its :escape_html option to > true and then > > ? ?%p= @something_nasty > > will be escaped by default. See: > > http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option > > for more info. > > Best, > Ted > > On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >> Hey guys, >> >> What do people do to protect against cross-site request forgery? To >> mimic what rails does I was thinking of creating a unique key for each >> session, and then in my logged_in? helper checking if the key passed >> by the user matches the one I set in the session. >> >> On the second question, I''m using Tilt with Haml templates. Any idea >> how I can set Haml''s :escape_html option so each template escapes all >> HTML within variables? >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >-- Dave
David, As far as I remember, this should work: module App set :haml, { :escape_html => true } end You set options (as specified in http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: set :EXTENSION, { :a=> true, :b => false } // Magnus Holm On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote:> Thanks I''ll look into the middleware. > > I know that''s how you escape HTML in Haml, what am asking though is > how you set the :escape_html option when all you have is an instance > of Tilt. > > Dave > > On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >> For cross-site request forgery protection I''ve simply used the >> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >> The github page is pretty self explanatory. >> >> For Haml, you should just be able to set its :escape_html option to >> true and then >> >> ? ?%p= @something_nasty >> >> will be escaped by default. See: >> >> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >> >> for more info. >> >> Best, >> Ted >> >> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>> Hey guys, >>> >>> What do people do to protect against cross-site request forgery? To >>> mimic what rails does I was thinking of creating a unique key for each >>> session, and then in my logged_in? helper checking if the key passed >>> by the user matches the one I set in the session. >>> >>> On the second question, I''m using Tilt with Haml templates. Any idea >>> how I can set Haml''s :escape_html option so each template escapes all >>> HTML within variables? >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
Thanks, that did the trick. Got to comb through my templates now though :P. On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote:> David, > > As far as I remember, this should work: > > ?module App > ? ?set :haml, { :escape_html => true } > ?end > > You set options (as specified in > http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: > > ?set :EXTENSION, { :a=> true, :b => false } > > // Magnus Holm > > > > On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >> Thanks I''ll look into the middleware. >> >> I know that''s how you escape HTML in Haml, what am asking though is >> how you set the :escape_html option when all you have is an instance >> of Tilt. >> >> Dave >> >> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>> For cross-site request forgery protection I''ve simply used the >>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>> The github page is pretty self explanatory. >>> >>> For Haml, you should just be able to set its :escape_html option to >>> true and then >>> >>> ? ?%p= @something_nasty >>> >>> will be escaped by default. See: >>> >>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>> >>> for more info. >>> >>> Best, >>> Ted >>> >>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>> Hey guys, >>>> >>>> What do people do to protect against cross-site request forgery? To >>>> mimic what rails does I was thinking of creating a unique key for each >>>> session, and then in my logged_in? helper checking if the key passed >>>> by the user matches the one I set in the session. >>>> >>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>> how I can set Haml''s :escape_html option so each template escapes all >>>> HTML within variables? >>>> >>>> -- >>>> Dave >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> >> >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list-- Dave
Great; sorry for the delay, but I''ve been here in the last days :-) http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg // Magnus Holm On Tue, Aug 10, 2010 at 22:50, David Susco <dsusco at gmail.com> wrote:> Thanks, that did the trick. Got to comb through my templates now though :P. > > On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote: >> David, >> >> As far as I remember, this should work: >> >> ?module App >> ? ?set :haml, { :escape_html => true } >> ?end >> >> You set options (as specified in >> http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: >> >> ?set :EXTENSION, { :a=> true, :b => false } >> >> // Magnus Holm >> >> >> >> On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >>> Thanks I''ll look into the middleware. >>> >>> I know that''s how you escape HTML in Haml, what am asking though is >>> how you set the :escape_html option when all you have is an instance >>> of Tilt. >>> >>> Dave >>> >>> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>>> For cross-site request forgery protection I''ve simply used the >>>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>>> The github page is pretty self explanatory. >>>> >>>> For Haml, you should just be able to set its :escape_html option to >>>> true and then >>>> >>>> ? ?%p= @something_nasty >>>> >>>> will be escaped by default. See: >>>> >>>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>>> >>>> for more info. >>>> >>>> Best, >>>> Ted >>>> >>>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>>> Hey guys, >>>>> >>>>> What do people do to protect against cross-site request forgery? To >>>>> mimic what rails does I was thinking of creating a unique key for each >>>>> session, and then in my logged_in? helper checking if the key passed >>>>> by the user matches the one I set in the session. >>>>> >>>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>>> how I can set Haml''s :escape_html option so each template escapes all >>>>> HTML within variables? >>>>> >>>>> -- >>>>> Dave >>>>> _______________________________________________ >>>>> Camping-list mailing list >>>>> Camping-list at rubyforge.org >>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>> >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> >>> >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
Now that looks like a fun climb. =) Dave On Tue, Aug 10, 2010 at 5:25 PM, Magnus Holm <judofyr at gmail.com> wrote:> Great; sorry for the delay, but I''ve been here in the last days :-) > > http://upload.wikimedia.org/wikipedia/commons/b/bd/Preikestolen_Norge.jpg > > // Magnus Holm > > > > On Tue, Aug 10, 2010 at 22:50, David Susco <dsusco at gmail.com> wrote: >> Thanks, that did the trick. Got to comb through my templates now though :P. >> >> On Tue, Aug 10, 2010 at 4:01 PM, Magnus Holm <judofyr at gmail.com> wrote: >>> David, >>> >>> As far as I remember, this should work: >>> >>> ?module App >>> ? ?set :haml, { :escape_html => true } >>> ?end >>> >>> You set options (as specified in >>> http://github.com/rtomayko/tilt/blob/master/TEMPLATES.md) by: >>> >>> ?set :EXTENSION, { :a=> true, :b => false } >>> >>> // Magnus Holm >>> >>> >>> >>> On Mon, Aug 9, 2010 at 19:08, David Susco <dsusco at gmail.com> wrote: >>>> Thanks I''ll look into the middleware. >>>> >>>> I know that''s how you escape HTML in Haml, what am asking though is >>>> how you set the :escape_html option when all you have is an instance >>>> of Tilt. >>>> >>>> Dave >>>> >>>> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >>>>> For cross-site request forgery protection I''ve simply used the >>>>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >>>>> The github page is pretty self explanatory. >>>>> >>>>> For Haml, you should just be able to set its :escape_html option to >>>>> true and then >>>>> >>>>> ? ?%p= @something_nasty >>>>> >>>>> will be escaped by default. See: >>>>> >>>>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >>>>> >>>>> for more info. >>>>> >>>>> Best, >>>>> Ted >>>>> >>>>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>>>>> Hey guys, >>>>>> >>>>>> What do people do to protect against cross-site request forgery? To >>>>>> mimic what rails does I was thinking of creating a unique key for each >>>>>> session, and then in my logged_in? helper checking if the key passed >>>>>> by the user matches the one I set in the session. >>>>>> >>>>>> On the second question, I''m using Tilt with Haml templates. Any idea >>>>>> how I can set Haml''s :escape_html option so each template escapes all >>>>>> HTML within variables? >>>>>> >>>>>> -- >>>>>> Dave >>>>>> _______________________________________________ >>>>>> Camping-list mailing list >>>>>> Camping-list at rubyforge.org >>>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>>> >>>>> _______________________________________________ >>>>> Camping-list mailing list >>>>> Camping-list at rubyforge.org >>>>> http://rubyforge.org/mailman/listinfo/camping-list >>>>> >>>> >>>> >>>> >>>> -- >>>> Dave >>>> _______________________________________________ >>>> Camping-list mailing list >>>> Camping-list at rubyforge.org >>>> http://rubyforge.org/mailman/listinfo/camping-list >>>> >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >> >> >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list-- Dave
Ted, Do you use Camping::Session with Rack::Csrf? If so, how did you get it to work? Once I include Camping::Session the csrf_token changes every time I call the method. Can anyone explain what include Camping::Session is actually doing? Dave On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote:> For cross-site request forgery protection I''ve simply used the > Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). > The github page is pretty self explanatory. > > For Haml, you should just be able to set its :escape_html option to > true and then > > ? ?%p= @something_nasty > > will be escaped by default. See: > > http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option > > for more info. > > Best, > Ted > > On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >> Hey guys, >> >> What do people do to protect against cross-site request forgery? To >> mimic what rails does I was thinking of creating a unique key for each >> session, and then in my logged_in? helper checking if the key passed >> by the user matches the one I set in the session. >> >> On the second question, I''m using Tilt with Haml templates. Any idea >> how I can set Haml''s :escape_html option so each template escapes all >> HTML within variables? >> >> -- >> Dave >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >-- Dave
Dave, Unfortunately I''ve actually not yet used Rack::Csrf with Camping. In Sinatra, I just: use Rack::Session::Cookie, :secret => "something" use Rack::Csrf and it works fine. Looking at Camping''s source for Camping::Session, it looks like it''s basically doing the same (http://github.com/camping/camping/blob/master/lib/camping/session.rb#L32). The csrf_token shouldn''t be changing every time, as Rack::Csrf is storing it in your session. Can you verify that "rack.session" is present in your session. Ted On Wed, Aug 11, 2010 at 2:33 PM, David Susco <dsusco at gmail.com> wrote:> Ted, > > Do you use Camping::Session with Rack::Csrf? If so, how did you get it > to work? Once I include Camping::Session the csrf_token changes every > time I call the method. > > Can anyone explain what include Camping::Session is actually doing? > > Dave > > On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >> For cross-site request forgery protection I''ve simply used the >> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >> The github page is pretty self explanatory. >> >> For Haml, you should just be able to set its :escape_html option to >> true and then >> >> ? ?%p= @something_nasty >> >> will be escaped by default. See: >> >> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >> >> for more info. >> >> Best, >> Ted >> >> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>> Hey guys, >>> >>> What do people do to protect against cross-site request forgery? To >>> mimic what rails does I was thinking of creating a unique key for each >>> session, and then in my logged_in? helper checking if the key passed >>> by the user matches the one I set in the session. >>> >>> On the second question, I''m using Tilt with Haml templates. Any idea >>> how I can set Haml''s :escape_html option so each template escapes all >>> HTML within variables? >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >
This example worked here: require ''rubygems'' require ''rack/csrf'' require ''camping'' require ''camping/session'' Camping.goes :Hello module Hello use Rack::Csrf include Camping::Session end module Hello::Controllers class Index def get Rack::Csrf.csrf_token(@env) end end end Notice that you''ll have to reverse the `use`-lines. Maybe we should file that as a bug? Since it works the other way both in Rackup files and Sinatra? // Magnus Holm On Wed, Aug 11, 2010 at 21:33, David Susco <dsusco at gmail.com> wrote:> Ted, > > Do you use Camping::Session with Rack::Csrf? If so, how did you get it > to work? Once I include Camping::Session the csrf_token changes every > time I call the method. > > Can anyone explain what include Camping::Session is actually doing? > > Dave > > On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <ted at tedkimble.com> wrote: >> For cross-site request forgery protection I''ve simply used the >> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf). >> The github page is pretty self explanatory. >> >> For Haml, you should just be able to set its :escape_html option to >> true and then >> >> ? ?%p= @something_nasty >> >> will be escaped by default. See: >> >> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option >> >> for more info. >> >> Best, >> Ted >> >> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <dsusco at gmail.com> wrote: >>> Hey guys, >>> >>> What do people do to protect against cross-site request forgery? To >>> mimic what rails does I was thinking of creating a unique key for each >>> session, and then in my logged_in? helper checking if the key passed >>> by the user matches the one I set in the session. >>> >>> On the second question, I''m using Tilt with Haml templates. Any idea >>> how I can set Haml''s :escape_html option so each template escapes all >>> HTML within variables? >>> >>> -- >>> Dave >>> _______________________________________________ >>> Camping-list mailing list >>> Camping-list at rubyforge.org >>> http://rubyforge.org/mailman/listinfo/camping-list >>> >> _______________________________________________ >> Camping-list mailing list >> Camping-list at rubyforge.org >> http://rubyforge.org/mailman/listinfo/camping-list >> > > > > -- > Dave > _______________________________________________ > Camping-list mailing list > Camping-list at rubyforge.org > http://rubyforge.org/mailman/listinfo/camping-list >