I stumbled on the fact that text_area_tag does not HTML escape its
content by default. For example:
text_area_tag "body",
"</textarea><script>alert(''xss'');<script>"
If you try that, you''ll see that the content is inserted literally.
Considering the fact that the tag helpers all encode their attribute
values by default, does this surprise anyone else?
I found a ticket on this issue from a couple years ago from Chris Mear
but it looks like it was dropped:
http://dev.rubyonrails.org/ticket/5929
It seems like there were two main arguments against encoding:
1. backwards compatibility
2. some people depend on this behavior to allow HTML in their text
area boxes
#2 I don''t really understand. You can allow HTML...just escape it.
It''s equivalent to allowing HTML in a text field tag, no? You have to
either know the value is sanitized or escape it.
#1 I can understand, but that''s not a show-stopper, right? There have
been numerous non-backwards-compatible changes adopted by introducing
them slowing, providing config options, etc.
I''m guessing there''s quite a few people using text_area_tag
and
assuming the content is being safely escaped by default. And every one
of them is an XSS problem.
It''s an issue with anything that uses content_tag, of course. Try
this, for example:
label_tag ''foo'',
"</lable><script>alert(''xss2'')</script>"
At the very least, are we amendable to adding a note in the
FormTagHelper docs about the escaping rules?
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
On Feb 15, 8:10 pm, mla <maurice.aub...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I found a ticket on this issue from a couple years ago from Chris Mear > but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929I''ve posted a new ticket on Lighthouse with an up-to-date patch: http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/tickets/2015-text_area_tag-should-escape-contents-by-default I also noticed that the text_area method in FormHelper actually does escape its contents now, so text_area_tag probably should do the same for consistency''s sake if nothing else. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Feb 15, 8:10 pm, mla <maurice.aub...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> I found a ticket on this issue from a couple years ago from Chris Mear > but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929I''ve put up an updated ticket and patch: http://rails.lighthouseapp.com:80/projects/8994/tickets/2015-text_area_tag-should-escape-contents-by-default Since making that first patch two years ago, the corresponding text_area method in FormHelper now escapes its contents by default, so I think there''s a good case for text_area_tag having the same behaviour, for consistency''s sake if nothing else. Chris --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---