thr3ads.net - Rails - VERBOTEN_TAGS and VERBOTEN

If this information is useful, please help other people find it:
Share via:

Justin Dossey

2006-Oct-25 16:19 UTC

VERBOTEN_TAGS and VERBOTEN_ATTRS

Hey all,

I''ve found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS constants
let far too much malicious code into a page.

I''m not talking about ugly-- I''m talking about stuff like
javascript
redirects  Bad!

Since they''re customizable, I have now:

ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i

(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)

It would be nice if these modifications made it into the trunk, so no one
else has the problems I''ve seen in production.

-- 
Justin Dossey

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

_Kevin

2006-Oct-25 16:21 UTC

head link

Re: VERBOTEN_TAGS and VERBOTEN_ATTRS

Justin Dossey wrote:> Hey all,
>
> I''ve found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS
constants
> let far too much malicious code into a page.
>
> I''m not talking about ugly-- I''m talking about stuff like
javascript
> redirects  Bad!
>
> Since they''re customizable, I have now:
>
> ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script iframe
meta}
> ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i
>
> (the dynsrc attribute can be added to an img tag, and popular browsers
> will then execute javascript in the attribute.)
>
> It would be nice if these modifications made it into the trunk, so no one
> else has the problems I''ve seen in production.
>
> --
> Justin Dossey
Then submit a patch to the rails trac....

dev.rubyonrails.org

_Kevin


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk
-~----------~----~----~----~------~----~------~--~---

Rails - Oct 2006 - VERBOTEN_TAGS and VERBOTEN_ATTRS

VERBOTEN_TAGS and VERBOTEN_ATTRS

Re: VERBOTEN_TAGS and VERBOTEN_ATTRS