jemminger
2010-Aug-10 17:21 UTC
ActiveRecord::UnknownAttributeError: unknown attribute: <script type
Has anyone seen this happening to their apps?
I''m starting to get errors like this come across from one of my apps:
ActiveRecord::UnknownAttributeError: unknown attribute: <script type
The parameters being sent are:
{"user"=>
{"email_confirmation"=>"someone-hcDgGtZH8xNBDgjK7y7TUQ@public.gmane.org",
"wants_new_message_notifications"=>"1",
"is_admin"=>"0",
"<script type"=>"=MyLastName",
"first_name"=>"MyFirstName",
"email"=>"someone-hcDgGtZH8xNBDgjK7y7TUQ@public.gmane.org"},
"account_id"=>"1",
"action"=>"create",
"controller"=>"users",
"_"=>""}
Obviously it throws this error since my user model doesn''t have a
property named "<script type".
So far it looks like it''s coming from Safari only, both Windows and
Mac.
I''m wondering what could be renaming the form field names on the
client side to cause this? I have verified that the rendered HTML is
correct.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
Hassan Schroeder
2010-Aug-10 19:04 UTC
Re: ActiveRecord::UnknownAttributeError: unknown attribute: <script type
On Tue, Aug 10, 2010 at 10:21 AM, jemminger <jemminger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> {"user"=> > {"email_confirmation"=>"someone-hcDgGtZH8xNBDgjK7y7TUQ@public.gmane.org", > "wants_new_message_notifications"=>"1", > "is_admin"=>"0", > "<script type"=>"=MyLastName", > "first_name"=>"MyFirstName",> I''m wondering what could be renaming the form field names on the > client side to cause this? I have verified that the rendered HTML is > correct.How? Using the W3C validator? I''d bet on a mis-matched/imbalanced quotes and/or tags somewhere close to that input field. Unless you have some JavaScript doing some funny innerHTML insertions; but easy enough to turn off JS and see if the error recurs. FWIW, -- Hassan Schroeder ------------------------ hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org twitter: @hassan -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Gudleik Rasch
2010-Aug-10 20:47 UTC
Re: ActiveRecord::UnknownAttributeError: unknown attribute: <script type
Could be a bug or even someone trying to inject malicious javascript code into your app. Either case its a good practice to have these kind of scenarios covered by tests. You should also make sure that some fields are protected from mass-assignment. In your hash you have is_admin => 0. If you have in your controller: User.create params[:user] # or @user.update_attributes params[:user] Then anybody can create an admin user by posting is_admin=1, unless you protect it in your model like this: class User < ActiveRecord::Base attr_protected :is_admin # or attr_accessible :name, :email, :username end Railscasts.com has some screencasts on this topic: http://railscasts.com/tags/5 -- gudleik On Tue, Aug 10, 2010 at 9:04 PM, Hassan Schroeder <hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> On Tue, Aug 10, 2010 at 10:21 AM, jemminger <jemminger-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > >> {"user"=> >> {"email_confirmation"=>"someone-hcDgGtZH8xNBDgjK7y7TUQ@public.gmane.org", >> "wants_new_message_notifications"=>"1", >> "is_admin"=>"0", >> "<script type"=>"=MyLastName", >> "first_name"=>"MyFirstName", > >> I''m wondering what could be renaming the form field names on the >> client side to cause this? I have verified that the rendered HTML is >> correct. > > How? Using the W3C validator? > > I''d bet on a mis-matched/imbalanced quotes and/or tags somewhere > close to that input field. > > Unless you have some JavaScript doing some funny innerHTML > insertions; but easy enough to turn off JS and see if the error recurs. > > FWIW, > -- > Hassan Schroeder ------------------------ hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > twitter: @hassan > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
jemminger
2010-Aug-11 16:26 UTC
Re: ActiveRecord::UnknownAttributeError: unknown attribute: <script type
On Aug 10, 4:47 pm, Gudleik Rasch <gudl...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Could be a bug or even someone trying to inject malicious javascript > code into your app. > Either case its a good practice to have these kind of scenarios > covered by tests. >How? It''s not really feasible to strip attrs that don''t belong from the params... I''d have to query the targeted model for its list of valid params and then reject non-matches. The idiom is to trustingly throw the whole hash at the model - "User.create params[:user]". This error doesn''t seem to be so much a security risk as just perplexing. Happened again on another action today... random field, "unknown attribute: description<script type". Safari only again.> You should also make sure that some fields are protected from mass-assignment. > In your hash you have is_admin => 0. If you have in your controller: > User.create params[:user] > # or > @user.update_attributes params[:user] >Thanks, this has already been done. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.