Hi folks, I''m the maintainer of Haml, and I''ve been hearing all about the new on- by-default XSS protection stuff. I''m wondering what your plan for compatibility with alternate templating engines is. I''d really appreciate not having to come up with all sorts of alternate compilation paths for Rails code with XSS protection enabled - this would make the code much more brittle, and apt to break in odd Rails- specific ways that will be hard for users to understand and hard for me to track down. - Nathan Weizenbaum
> I''m the maintainer of Haml, and I''ve been hearing all about the new on- > by-default XSS protection stuff. I''m wondering what your plan for > compatibility with alternate templating engines is. I''d really > appreciate not having to come up with all sorts of alternate > compilation paths for Rails code with XSS protection enabled - this > would make the code much more brittle, and apt to break in odd Rails- > specific ways that will be hard for users to understand and hard for > me to track down.Your templating engine should continue to work 100% without any errors. The ''escape-me'' behaviour is limited to the erb template handler (builder already does this obviously). If you *want* on by default escaping you''ll just need to work with an ActionView::SafeBuffer instead of a string. The only surprise you could get is if you use with_output_buffer and *don''t* pass it a buffer, in that case it''ll now default to a safe buffer.> - Nathan Weizenbaum > > >-- Cheers Koz
Koz, The problem is that we''re telling people that XSS is on by default, when using an alternate template engine drives a big truck through that firewall. We need a simple API for alternate template engines opting in to this behavior. Nathan, what about the current APIs is too cumbersome for your needs? Koz, Any thoughts on how we might make it easier to opt in? What about a dev. mode warning if you''re using a template engine that doesn''t escape? -- Yehuda On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <michael@koziarski.com>wrote:> > > I''m the maintainer of Haml, and I''ve been hearing all about the new on- > > by-default XSS protection stuff. I''m wondering what your plan for > > compatibility with alternate templating engines is. I''d really > > appreciate not having to come up with all sorts of alternate > > compilation paths for Rails code with XSS protection enabled - this > > would make the code much more brittle, and apt to break in odd Rails- > > specific ways that will be hard for users to understand and hard for > > me to track down. > > Your templating engine should continue to work 100% without any > errors. The ''escape-me'' behaviour is limited to the erb template > handler (builder already does this obviously). > > If you *want* on by default escaping you''ll just need to work with an > ActionView::SafeBuffer instead of a string. > > The only surprise you could get is if you use with_output_buffer and > *don''t* pass it a buffer, in that case it''ll now default to a safe > buffer. > > > - Nathan Weizenbaum > > > > > > > > > -- > Cheers > > Koz > > > >-- Yehuda Katz Developer | Engine Yard (ph) 718.877.1325 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To post to this group, send email to rubyonrails-core@googlegroups.com To unsubscribe from this group, send email to rubyonrails-core+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-core?hl=en -~----------~----~----~----~------~----~------~--~---
On Mon, Oct 12, 2009 at 10:04 AM, Yehuda Katz <wycats@gmail.com> wrote:> Koz, > The problem is that we''re telling people that XSS is on by default, when > using an alternate template engine drives a big truck through that firewall.There''s no way to avoid this, template engines maintain their own buffer which we have no control over.> Koz, Any thoughts on how we might make it easier to opt in? What about a > dev. mode warning if you''re using a template engine that doesn''t escape?The only way we could detect this is if a render call returned something other than a SafeBuffer and was an engine other than builder. I think you''re making more out of this than you need to, alternative engines such as ones which generate pdfs or other non-html formats have nothing to do with this. I''d be happy if we rejigged the marketing message to say "erb and builder templates are xss safe" but that seems needless hesitation. It''s trivial for other templates to opt in, and I say we just encourage them to.> -- Yehuda > > On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <michael@koziarski.com> > wrote: >> >> > I''m the maintainer of Haml, and I''ve been hearing all about the new on- >> > by-default XSS protection stuff. I''m wondering what your plan for >> > compatibility with alternate templating engines is. I''d really >> > appreciate not having to come up with all sorts of alternate >> > compilation paths for Rails code with XSS protection enabled - this >> > would make the code much more brittle, and apt to break in odd Rails- >> > specific ways that will be hard for users to understand and hard for >> > me to track down. >> >> Your templating engine should continue to work 100% without any >> errors. The ''escape-me'' behaviour is limited to the erb template >> handler (builder already does this obviously). >> >> If you *want* on by default escaping you''ll just need to work with an >> ActionView::SafeBuffer instead of a string. >> >> The only surprise you could get is if you use with_output_buffer and >> *don''t* pass it a buffer, in that case it''ll now default to a safe >> buffer. >> >> > - Nathan Weizenbaum >> > > >> > >> >> >> >> -- >> Cheers >> >> Koz >> >> > > > > -- > Yehuda Katz > Developer | Engine Yard > (ph) 718.877.1325 > > > >-- Cheers Koz
Maybe a simple wiki page with a table listing the currently supported template engines and it''s features is enough. One of these features would obviously be "XSS safe" On Mon, 2009-10-12 at 10:14 +1300, Michael Koziarski wrote:> On Mon, Oct 12, 2009 at 10:04 AM, Yehuda Katz <wycats@gmail.com> wrote: > > Koz, > > The problem is that we''re telling people that XSS is on by default, when > > using an alternate template engine drives a big truck through that firewall. > > There''s no way to avoid this, template engines maintain their own > buffer which we have no control over. > > > Koz, Any thoughts on how we might make it easier to opt in? What about a > > dev. mode warning if you''re using a template engine that doesn''t escape? > > The only way we could detect this is if a render call returned > something other than a SafeBuffer and was an engine other than > builder. I think you''re making more out of this than you need to, > alternative engines such as ones which generate pdfs or other non-html > formats have nothing to do with this. > > I''d be happy if we rejigged the marketing message to say "erb and > builder templates are xss safe" but that seems needless hesitation. > It''s trivial for other templates to opt in, and I say we just > encourage them to. > > > > > -- Yehuda > > > > On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <michael@koziarski.com> > > wrote: > >> > >> > I''m the maintainer of Haml, and I''ve been hearing all about the new on- > >> > by-default XSS protection stuff. I''m wondering what your plan for > >> > compatibility with alternate templating engines is. I''d really > >> > appreciate not having to come up with all sorts of alternate > >> > compilation paths for Rails code with XSS protection enabled - this > >> > would make the code much more brittle, and apt to break in odd Rails- > >> > specific ways that will be hard for users to understand and hard for > >> > me to track down. > >> > >> Your templating engine should continue to work 100% without any > >> errors. The ''escape-me'' behaviour is limited to the erb template > >> handler (builder already does this obviously). > >> > >> If you *want* on by default escaping you''ll just need to work with an > >> ActionView::SafeBuffer instead of a string. > >> > >> The only surprise you could get is if you use with_output_buffer and > >> *don''t* pass it a buffer, in that case it''ll now default to a safe > >> buffer. > >> > >> > - Nathan Weizenbaum > >> > > > >> > > >> > >> > >> > >> -- > >> Cheers > >> > >> Koz > >> > >> > > > > > > > > -- > > Yehuda Katz > > Developer | Engine Yard > > (ph) 718.877.1325 > > > > > > > > > >-- Carlos Henrique Júnior Milk-it Software House carlos@milk-it.net (31) 8763-5606 / 3227-1009
2009/10/11 Carlos Júnior <carlos@milk-it.net>:> > Maybe a simple wiki page with a table listing the currently supported > template engines and it''s features is enough. One of these features > would obviously be "XSS safe" > > On Mon, 2009-10-12 at 10:14 +1300, Michael Koziarski wrote: >> On Mon, Oct 12, 2009 at 10:04 AM, Yehuda Katz <wycats@gmail.com> wrote: >> > Koz, >> > The problem is that we''re telling people that XSS is on by default, when >> > using an alternate template engine drives a big truck through that firewall. >> >> There''s no way to avoid this, template engines maintain their own >> buffer which we have no control over. >> >> > Koz, Any thoughts on how we might make it easier to opt in? What about a >> > dev. mode warning if you''re using a template engine that doesn''t escape? >> >> The only way we could detect this is if a render call returned >> something other than a SafeBuffer and was an engine other than >> builder. I think you''re making more out of this than you need to, >> alternative engines such as ones which generate pdfs or other non-html >> formats have nothing to do with this. >> >> I''d be happy if we rejigged the marketing message to say "erb and >> builder templates are xss safe" but that seems needless hesitation. >> It''s trivial for other templates to opt in, and I say we just >> encourage them to.Uhm, but all templating engines have their own way of handling. Haml escapes by default in its latest releases, right? (I''ve been out of touch for a long while) Or is it a setting? (in which case, it could be turned on by default on rails) -foca>> >> >> > -- Yehuda >> > >> > On Sun, Oct 11, 2009 at 11:02 AM, Michael Koziarski <michael@koziarski.com> >> > wrote: >> >> >> >> > I''m the maintainer of Haml, and I''ve been hearing all about the new on- >> >> > by-default XSS protection stuff. I''m wondering what your plan for >> >> > compatibility with alternate templating engines is. I''d really >> >> > appreciate not having to come up with all sorts of alternate >> >> > compilation paths for Rails code with XSS protection enabled - this >> >> > would make the code much more brittle, and apt to break in odd Rails- >> >> > specific ways that will be hard for users to understand and hard for >> >> > me to track down. >> >> >> >> Your templating engine should continue to work 100% without any >> >> errors. The ''escape-me'' behaviour is limited to the erb template >> >> handler (builder already does this obviously). >> >> >> >> If you *want* on by default escaping you''ll just need to work with an >> >> ActionView::SafeBuffer instead of a string. >> >> >> >> The only surprise you could get is if you use with_output_buffer and >> >> *don''t* pass it a buffer, in that case it''ll now default to a safe >> >> buffer. >> >> >> >> > - Nathan Weizenbaum >> >> > > >> >> > >> >> >> >> >> >> >> >> -- >> >> Cheers >> >> >> >> Koz >> >> >> >> >> > >> > >> > >> > -- >> > Yehuda Katz >> > Developer | Engine Yard >> > (ph) 718.877.1325 >> > >> > > >> > >> >> >> > -- > Carlos Henrique Júnior > Milk-it Software House > carlos@milk-it.net > (31) 8763-5606 / 3227-1009 > > > > >