Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian
After reading that I say reinvent! The more experience Rails has dealing with XSS, that better. -----Original Message----- From: rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org [mailto:rails-bounces-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org] On Behalf Of Florian Weber Sent: Friday, 13 May 2005 1:15 PM To: jamis-uHoyYlH2B+GakBO8gow8eQ@public.gmane.org; rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org Subject: [Rails] HTML sanitizer Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
On May 12, 2005, at 9:14 PM, Florian Weber wrote:> Hello! > > Does anybody know of a Ruby implementation of a HTML sanitizer that > prevents the attacks described on the xss cheatsheet? > (http://ha.ckers.org/xss.html) > > I checked out the version Jamis wrote > (http://dev.rubyonrails.com/ticket/1277), but that only covers the > very basic attacks. > > Anybody? Just figured I would ask before, before I reinvent the > wheel.. >>Florian, I wish I''d known about that site before--I''d have worked harder to cover more of the bases! As it is, I''ve half a mind to hop in and improve what I submitted originally, but if you have the time and inclination (and you''re willing to submit what you create back to Rails) I''d be happy just to use what you come up with. - Jamis
Florian Weber wrote:>Hello! > >Does anybody know of a Ruby implementation of a HTML sanitizer that >prevents the attacks described on the xss cheatsheet? >(http://ha.ckers.org/xss.html) > >I checked out the version Jamis wrote >(http://dev.rubyonrails.com/ticket/1277), but that only covers the >very basic attacks. > >Anybody? Just figured I would ask before, before I reinvent the wheel.. > >Can''t you just use <%=h blah %> in the view? The <%=h is the important part. - Adam
On 5/13/05, Adam M. <gnuman1-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Florian Weber wrote: > > >Hello! > > > >Does anybody know of a Ruby implementation of a HTML sanitizer that > >prevents the attacks described on the xss cheatsheet? > >(http://ha.ckers.org/xss.html) > > > >I checked out the version Jamis wrote > >(http://dev.rubyonrails.com/ticket/1277), but that only covers the > >very basic attacks. > > > >Anybody? Just figured I would ask before, before I reinvent the wheel.. > > > > > > Can''t you just use <%=h blah %> in the view? The <%=h is the important part.That will escape *all* the tags. Jamis'' solution is for sites like backpack where you want your users to be able to input a subset of ''safe'' tags.> - Adam > > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Cheers Koz