Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian
> I wanna take a stab at implementing better XSS prevention for Rails. > This time for real =) > > I''m wondering what would be the better way, clean everything up with > tidy first and then do the rest with regexp or regexp all the way? > Anybody done this before?Have a look at TextHelper#sanitize and go from there. http://ha.ckers.org/xss.html has a good list of things to guard for. It would be cool to turn that site into a test case and work until we pass ''em all. -- David Heinemeier Hansson http://www.loudthinking.com -- Broadcasting Brain http://www.basecamphq.com -- Online project management http://www.backpackit.com -- Personal information manager http://www.rubyonrails.com -- Web-application framework
> Have a look at TextHelper#sanitize and go from there. > http://ha.ckers.org/xss.html has a good list of things to guard for. > It would be cool to turn that site into a test case and work until we > pass ''em all.Yep, that''s exactly what I had in mind too =)
Has there been any progress on this? I have an OWASP compliance review @ my day job and would like something like this to point to. Thanks! On Monday, January 09, 2006, at 8:56 PM, Florian Weber wrote:>> Have a look at TextHelper#sanitize and go from there. >> http://ha.ckers.org/xss.html has a good list of things to guard for. >> It would be cool to turn that site into a test case and work until we >> pass ''em all. > >Yep, that''s exactly what I had in mind too =) >_______________________________________________ >Rails-core mailing list >Rails-core@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/rails-coreCheers! --Dave. -- Posted with http://DevLists.com. Sign up and save your time!