similar to: XSS prevention with Rails

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

Hello, I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix. Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location

So I''ve googled my brains out, and I see a lot of talk about TextHelper for views, but next to no discussion about cleaning text _before_ it is saved. I figured this had to be asked 4 zillion times, but I''m not finding anything concrete/obvious. Using h is fine as a safety catch, but that alone is not acceptable to me as the means of diffusing the impact of HTML or JS

Yesterday, I was doing a dog-and-pony for the head of the company that I work for. He asked, "Is this (a rails application) secure?" I said, "It''s as secure as anything else on the web is," and proceeded to talk about how the data was protected, how we weren''t saving anything that''s worth protecting, and so on. I''d like to have a better

Hello- I''m new to the ruby-based schemas and migrations. As I''m looking over examples and such online, I see that many of them don''t make use of schema-enforced attributes. For example, instead of: t.column "post_id", :integer, :default => 0, :null => false They do: t.column "post_id", :integer So I''m wondering -- is this

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

Does anyone know how to view the new source in IE after an AJAX update? When I "view -> source" I get the original page source, not the page source as updated. Thanks in advance, Bill -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060403/e8d96b2e/attachment.html

To play with RJS I just made a "rake freeze edge". But this copies only the libs into vendor/rails and any attempt of "rake update_javascripts" fails. But all the he required javascripts are there, at: BASEPATH/vendor/rails/actionpack/lib/action_view/helpers/javascripts/ Except of prototype, they seem to have no version number, so I am asking whether I should take those

Cheers, I have a problem with 1.0 and a habtm relationship between User and Article. I want to save all articles that users read. I have these models: class User < ActiveRecord::Base has_and_belongs_to_many :read_articles, :class_name => "Article", :join_table => "read_articles" ... end class Article < ActiveRecord::Base has_and_belongs_to_many :readers,

Hello, I submitted a patch <http://dev.rubyonrails.org/ticket/3287> ( http://dev.rubyonrails.org/ticket/3287) a couple of days ago. The patch adds some methods into and changes the existing methods in the CaptureHelper module. It should not, as I can see, affect any existing Rails implementations. I added the relevant unit tests and all but one of the tests pass. The test that fails failed

I''m working on a RoR project and a requirement has popped up that would required certain actions to happen at certain time intervals (as opposed to having a user initiate the action). Is there anything similar to Java''s Quartz library, *nix cron, or anything of the like for Rails? I''m certainly willing to help with/test Ruby code if someone on the list is already

Textdrive upgraded to Rails 1.1 already. I have an older rails app, and am now getting the following error: c:/ruby/lib/ruby/gems/1.8/gems/activesupport-1.3.0 /lib/active_support/depende ncies.rb:112:in `const_missing'': uninitialized constant LoadingModule (NameEr ror) from ./script/../config/environment.rb:91 from

Hi all, I submitted a patch the other day for an issue I ran into running an "add_column" migration on a sqlite3 database when there is existing data in the table, and the new column has ":null=>false". Details at http://dev.rubyonrails.org/ticket/5215. The issue I encountered was not picked due to the unit test not having any actual data in it before running the

Hello all, I just successfully updated my dev env to Rails 1.0. I then wanted to get .rjs templates working and followed Cody''s instructions at http://www.codyfauser.com/articles/2005/12/02/rails-rjs-templates-plugin . However, when I try to run ''rake test'' I get the following error: (in

Bob Hoffman wrote: > Since each install uses the same pages basically, it is easy for a autobot > to find them all and zero day your forums, xss your whatever, and so on. > > Dang scary to leave JS on at all....even though you basically have too. Mozilla is beginning to address this issue with Content Security Policy -=-

I started two weeks ago with rails and im amazed of what can be done in a short time, i already finished the agile development with rails and some of the tutorials at the documentation section of the rubyonrails.com site. But i realize that many of the tutos and examples around the web and books are using earlier versions of rails (0.x.x) and some of that code and coding practices are

I''m using the subdomains as accounts method fine on a project, but I''m wondering what is the best way to differentiate between account subdomains to access the app using an account, and www.domain.com and domain.com in order to show normal site content. I''ve noticed that on Backpack, it seems that when you leave the information pages and start using the app,

Rails 1.1 was a big upgrade with a lot of new features and we''ve been working hard since its release to polish off the kinks revealed after it was deployed to the masses. Rails 1.1.1 contains fixes for things like Prototype memory leaks in IE 6, Oracle adapter runnings, and a number of compatibility tweaks to make most older applications work. This release still doesn''t work