I''m sure many of you read the recently slashdotted article on a cross-site scripting exploit using CSS that was recently done on MySpace (leaving aside opinions of MySpace code). http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391 Just out of curiosity would a similar exploit have any chance to be taken on a Rails application? How would rails be immune to a similar attack or is it up to the developer to prevent it? Apologies if my question is off mark. I''m still trying to learn as I go.
I''m sure many of you read the recently slashdotted article on a cross-site scripting exploit using CSS that was recently done on MySpace (leaving aside opinions of MySpace code). http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391 Just out of curiosity would a similar exploit have any chance to be taken on a Rails application? How would rails be immune to a similar attack or is it up to the developer to prevent it? Apologies if my question is off mark. I''m still trying to learn as I go.
http://manuals.rubyonrails.com/read/book/8 On 17/10/05, SB <richstyles-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I''m sure many of you read the recently slashdotted article on a > cross-site scripting exploit using CSS that was recently done on > MySpace (leaving aside opinions of MySpace code). > > http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391 > > Just out of curiosity would a similar exploit have any chance to be > taken on a Rails application? How would rails be immune to a similar > attack or is it up to the developer to prevent it? > > Apologies if my question is off mark. I''m still trying to learn as I go. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails >-- Rasputin :: Jack of All Trades - Master of Nuns http://number9.hellooperator.net/
First off I have only be writing RoR code for a total of a week so this might not be totally accurate. I do web application security for a living though and recently stayed at Holiday Inn :-) Ruby on Rails does not prevent XSS attacks per-se it only provides developers a easy to use mechanism to stop them. When ever you grab something out of the database and render it use the <%=h stuff.from.db %> note the h that will HTML entity encode all non- alpha numeric characters. I would like to see this as the default behavior for rails since I certainly think this falls into the sensible defaults category. I think languages in general should make it hard to do bad things not harder to do the right thing. On Oct 17, 2005, at 3:07 AM, SB wrote:> I''m sure many of you read the recently slashdotted article on a > cross-site scripting exploit using CSS that was recently done on > MySpace (leaving aside opinions of MySpace code). > > http://www.betanews.com/article/ > CrossSite_Scripting_Worm_Hits_MySpace/1129232391 > > Just out of curiosity would a similar exploit have any chance to be > taken on a Rails application? How would rails be immune to a similar > attack or is it up to the developer to prevent it? > > Apologies if my question is off mark. I''m still trying to learn as > I go. > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > >- Bill