spyboost
2007-Dec-16 23:34 UTC
stripTags() function doesn''t work properly as it expected to do
I''ve noticed a strange behavior of stripTags() function. As the documentation says about stripTags(): Strips a string of any HTML tag. But this function eliminates the tags only but not the content inside. I tested it with response with a mix of JSON data and some HTML code. Here it is: ******************* JSP PAGE ********************************************** <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@taglib uri="http://www.atg.com/taglibs/json" prefix="json" %> <json:object> <json:object name="elements"> <json:property name="Rating" value="${rating}" /> <json:property name="Count" value="${count}"/> </json:object> </json:object> <script>alert(''Bye bye'');</script> <div>I will survive after stripTags()</div> ********************************************************************************** Then, in my JavaScript I typed following code(responseText is retrieved after AJAX execution, for simplicity I omit AJAX code and provide only a piece of callback function onAjaxLoad) : //JavaScript code var responseText = responseText.stripScripts().stripTags().strip(); // malicious text is still presented in response. Function stripScripts() eliminates <script>[content]</script> tag totally. But after stripTags() finished the "I will survive after stripTags()" text is still presented in responseText. Everything would be fine if the stripTags() function have worked like the stripScripts() did. Is it correct behavior for stripTags() function? If yes, then documentation should be changed. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
Nicolás Sanguinetti
2007-Dec-16 23:39 UTC
Re: stripTags() function doesn''t work properly as it expected to do
Yeah, it''s working correctly. The idea is to remove *only* the tags, in order to, for example, ''clean'' client code. (You don''t want that <h1> they put breaking up all your layout :)) If you look at the first example, you''ll see that they remove the tag, but the content remains :) Best, -Nicolas On Dec 16, 2007 9:34 PM, spyboost <spyboost-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > I''ve noticed a strange behavior of stripTags() function. > As the documentation says about stripTags(): Strips a string of any > HTML tag. > But this function eliminates the tags only but not the content inside. > I tested it with response with a mix of JSON data and some HTML code. > Here it is: > > ******************* JSP PAGE > ********************************************** > <%@ page language="java" contentType="text/html; charset=UTF-8" > pageEncoding="UTF-8"%> > <%@taglib uri="http://www.atg.com/taglibs/json" prefix="json" %> > <json:object> > <json:object name="elements"> > <json:property name="Rating" value="${rating}" /> > <json:property name="Count" value="${count}"/> > </json:object> > </json:object> > <script>alert(''Bye bye'');</script> > <div>I will survive after stripTags()</div> > ********************************************************************************** > > Then, in my JavaScript I typed following code(responseText is > retrieved after AJAX execution, for simplicity I omit AJAX code and > provide only a piece of callback function onAjaxLoad) : > > //JavaScript code > var responseText = responseText.stripScripts().stripTags().strip(); // > malicious text is still presented in response. > > Function stripScripts() eliminates <script>[content]</script> tag > totally. But after stripTags() finished the "I will survive after > stripTags()" text is still presented in responseText. > > Everything would be fine if the stripTags() function have worked like > the stripScripts() did. > Is it correct behavior for stripTags() function? > If yes, then documentation should be changed. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
spyboost
2007-Dec-16 23:47 UTC
Re: stripTags() function doesn''t work properly as it expected to do
Thanks for quick reply :) But documentation is confusing a little bit. Almost the same text as for stripScripts but absolutely different behavior.)) On 17 дек, 00:39, "Nicolás Sanguinetti" <godf...@gmail.com> wrote:> Yeah, it''s working correctly. The idea is to remove *only* the tags, > in order to, for example, ''clean'' client code. (You don''t want that > <h1> they put breaking up all your layout :)) > > If you look at the first example, you''ll see that they remove the tag, > but the content remains :) > > Best, > -Nicolas > > On Dec 16, 2007 9:34 PM, spyboost <spybo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > I''ve noticed a strange behavior of stripTags() function. > > As the documentation says about stripTags(): Strips a string of any > > HTML tag. > > But this function eliminates the tags only but not the content inside. > > I tested it with response with a mix of JSON data and some HTML code. > > Here it is: > > > ******************* JSP PAGE > > ********************************************** > > <%@ page language="java" contentType="text/html; charset=UTF-8" > > pageEncoding="UTF-8"%> > > <%@taglib uri="http://www.atg.com/taglibs/json" prefix="json" %> > > <json:object> > > <json:object name="elements"> > > <json:property name="Rating" value="${rating}" /> > > <json:property name="Count" value="${count}"/> > > </json:object> > > </json:object> > > <script>alert(''Bye bye'');</script> > > <div>I will survive after stripTags()</div> > > ********************************************************************************** > > > Then, in my JavaScript I typed following code(responseText is > > retrieved after AJAX execution, for simplicity I omit AJAX code and > > provide only a piece of callback function onAjaxLoad) : > > > //JavaScript code > > var responseText = responseText.stripScripts().stripTags().strip(); // > > malicious text is still presented in response. > > > Function stripScripts() eliminates <script>[content]</script> tag > > totally. But after stripTags() finished the "I will survive after > > stripTags()" text is still presented in responseText. > > > Everything would be fine if the stripTags() function have worked like > > the stripScripts() did. > > Is it correct behavior for stripTags() function? > > If yes, then documentation should be changed.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
Nicolás Sanguinetti
2007-Dec-16 23:58 UTC
Re: stripTags() function doesn''t work properly as it expected to do
Well, would you like to submit a documentation patch? ;-) Best, -N On Dec 16, 2007 9:47 PM, spyboost <spyboost@gmail.com> wrote:> > Thanks for quick reply :) > But documentation is confusing a little bit. Almost the same text as > for stripScripts but absolutely different behavior.)) > > On 17 дек, 00:39, "Nicolás Sanguinetti" <godf...@gmail.com> wrote: > > Yeah, it's working correctly. The idea is to remove *only* the tags, > > in order to, for example, 'clean' client code. (You don't want that > > <h1> they put breaking up all your layout :)) > > > > If you look at the first example, you'll see that they remove the tag, > > but the content remains :) > > > > Best, > > -Nicolas > > > > > On Dec 16, 2007 9:34 PM, spyboost <spybo...@gmail.com> wrote: > > > > > > > > > I've noticed a strange behavior of stripTags() function. > > > As the documentation says about stripTags(): Strips a string of any > > > HTML tag. > > > But this function eliminates the tags only but not the content inside. > > > I tested it with response with a mix of JSON data and some HTML code. > > > Here it is: > > > > > ******************* JSP PAGE > > > ********************************************** > > > <%@ page language="java" contentType="text/html; charset=UTF-8" > > > pageEncoding="UTF-8"%> > > > <%@taglib uri="http://www.atg.com/taglibs/json" prefix="json" %> > > > <json:object> > > > <json:object name="elements"> > > > <json:property name="Rating" value="${rating}" /> > > > <json:property name="Count" value="${count}"/> > > > </json:object> > > > </json:object> > > > <script>alert('Bye bye');</script> > > > <div>I will survive after stripTags()</div> > > > ********************************************************************************** > > > > > Then, in my JavaScript I typed following code(responseText is > > > retrieved after AJAX execution, for simplicity I omit AJAX code and > > > provide only a piece of callback function onAjaxLoad) : > > > > > //JavaScript code > > > var responseText = responseText.stripScripts().stripTags().strip(); // > > > malicious text is still presented in response. > > > > > Function stripScripts() eliminates <script>[content]</script> tag > > > totally. But after stripTags() finished the "I will survive after > > > stripTags()" text is still presented in responseText. > > > > > Everything would be fine if the stripTags() function have worked like > > > the stripScripts() did. > > > Is it correct behavior for stripTags() function? > > > If yes, then documentation should be changed. > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs@googlegroups.com To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---
spyboost
2007-Dec-19 15:29 UTC
Re: stripTags() function doesn''t work properly as it expected to do
Well, no:) I think now it describes the behavior well :) At least I know what it does. On 17 дек, 00:58, "Nicolás Sanguinetti" <godf...@gmail.com> wrote:> Well, would you like to submit a documentation patch? ;-) > > Best, > -N > > On Dec 16, 2007 9:47 PM, spyboost <spybo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > Thanks for quick reply :) > > But documentation is confusing a little bit. Almost the same text as > > for stripScripts but absolutely different behavior.)) > > > On 17 дек, 00:39, "Nicolás Sanguinetti" <godf...@gmail.com> wrote: > > > Yeah, it''s working correctly. The idea is to remove *only* the tags, > > > in order to, for example, ''clean'' client code. (You don''t want that > > > <h1> they put breaking up all your layout :)) > > > > If you look at the first example, you''ll see that they remove the tag, > > > but the content remains :) > > > > Best, > > > -Nicolas > > > > On Dec 16, 2007 9:34 PM, spyboost <spybo...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > > I''ve noticed a strange behavior of stripTags() function. > > > > As the documentation says about stripTags(): Strips a string of any > > > > HTML tag. > > > > But this function eliminates the tags only but not the content inside. > > > > I tested it with response with a mix of JSON data and some HTML code. > > > > Here it is: > > > > > ******************* JSP PAGE > > > > ********************************************** > > > > <%@ page language="java" contentType="text/html; charset=UTF-8" > > > > pageEncoding="UTF-8"%> > > > > <%@taglib uri="http://www.atg.com/taglibs/json" prefix="json" %> > > > > <json:object> > > > > <json:object name="elements"> > > > > <json:property name="Rating" value="${rating}" /> > > > > <json:property name="Count" value="${count}"/> > > > > </json:object> > > > > </json:object> > > > > <script>alert(''Bye bye'');</script> > > > > <div>I will survive after stripTags()</div> > > > > ********************************************************************************** > > > > > Then, in my JavaScript I typed following code(responseText is > > > > retrieved after AJAX execution, for simplicity I omit AJAX code and > > > > provide only a piece of callback function onAjaxLoad) : > > > > > //JavaScript code > > > > var responseText = responseText.stripScripts().stripTags().strip(); // > > > > malicious text is still presented in response. > > > > > Function stripScripts() eliminates <script>[content]</script> tag > > > > totally. But after stripTags() finished the "I will survive after > > > > stripTags()" text is still presented in responseText. > > > > > Everything would be fine if the stripTags() function have worked like > > > > the stripScripts() did. > > > > Is it correct behavior for stripTags() function? > > > > If yes, then documentation should be changed.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Spinoffs" group. To post to this group, send email to rubyonrails-spinoffs-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-spinoffs-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-spinoffs?hl=en -~----------~----~----~----~------~----~------~--~---