similar to: HTML sanitizer

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Hi, http://dev.rubyonrails.org/ticket/8453 http://dev.rubyonrails.org/ticket/8371 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3227 I came across the above by accident. While I am subscribed to the so called rails security list where supposed announcement of security issues were to be posted, neither of the above problem made the list. While I use rails a lot and like it, the above

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

On Fri, Mar 14, 2008 at 11:22 PM, Michel Fortin <michel.fortin at michelf.com> wrote: > > "Safe mode" you say? Yeah, well, I didn't paint that bike shed. > > PHP Markdown also has a no-markup mode which would filter script tags > and any other HTML tags. But this doesn't prevent anyone from > inserting their own script on the page. Do you know you can

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

Hello, I've failed latest PCI scan because of CVE-2009-0796. Centos 6.7. The Red Hat Security Response Team has rated this issue as having moderate security impact and bug as wontfix. Explanation: The vulnerability affects non default configuration of Apache HTTP web server, i.e cases, when access to Apache::Status and Apache2::Status resources is explicitly allowed via <Location

It looks like everyone has tried to fix the cookies lately, and no-one managed to get it 100% correctly. The current implementation doesn''t set the path correctly, and you can''t use @cookies in a #service-overload. Qwzybug''s patch fixed only the sessions. Jenna''s patch won''t allow to set complex cookies (@cookies.key = {:path => "/path",

I am using Ruby feedparser and when I try to parse this feed: http://feeds.feedburner.com/Mobilecrunch I get an error: REXML::ParseException: Declarations can only occur in the doctype declaration. This feed does validate at feedvalidator.org. Any idea why it would raise an exception? Thanks, eduard -------------- next part -------------- An HTML attachment was scrubbed... URL:

Not a biggie, but definitely annoying: I try to register for a media site, so I can put in a comment, and every time I hit "register", noscript pops up telling me it's protecting me from cross-site scripting... and if it's giving me any way to say, "that's ok for this site", I don't see it. I've tried typing in a pattern for xss, and no joy. Clues for the

http://httpd.apache.org/security/vulnerabilities_20.html states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things

I have an application where I am allowing users to upload (or refer the app. to) arbritrary HTML that I am (currently) displaying in an IFRAME on a page. The users will be authenticated so it''s not open to the entire universe. I was always uneasy with this, but after reading the security chapter of AWDWR, I am even more concerned. What kinds of applications do people have out there

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! I see some strange errors on a samba-3.0.2a PDC and fileserver running under Linux. Every now and then users are not able to access some random file. Windows tells the user that the "file is already opened" or some similar error message (it's an error message in german) The files are varying, I see all kinds of filenames where

[Please CC me on replies, as I am not subscribed.] Dear R folks, Accessing the *R Developer Page* [1], the browser (Firefox) shows an HTTPS warning. The reason is the embedded Google logo. > Gemischte (unsichere) Anzeige-Inhalte von "http://www.google.com/logos/Logo_40wht.gif" werden auf einer sicheren Seite geladen Could you change that to an HTTPS link please? ``` $ curl -I

Hola, Durante esta pasada Semana Santa, Santiago Mota y yo mismo hemos traducido al español la cheatsheet de "ggplot2" que recientemente publicó RStudio. Nos acaban de comunicar que la hoja de referencia ya está disponible: http://www.rstudio.com/resources/cheatsheets/ -- Saludos, Carlos Ortega www.qualityexcellence.es [[alternative HTML version deleted]]

Hey if you know any rails cheatsheet link add it inot the follwing list, lets make a long list on Rails cheatsheet.... ;) 1) 2) 3) 4) . . . -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060103/a6eea2ac/attachment-0001.html

Hey has anyone seen a 1.6 cheatsheet around? Johnathan Snook did a nice 1.5 one but I''ve been working with 1.6 for a while and while I can use prototypejs.org, cheatsheets are handy for jogging memories.. I checked his blog, nothing there for 1.6. Gareth --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups

As most of you would have noticed, we have now had 3 CVE-nominated security issues for SWAT in the past couple of years. At the same time, while I know many of our users use SWAT, we just don't have anybody to maintain it inside the Samba Team. Kai has made a valiant effort to at least apply the XSS and CSRF guidelines when folks make security reports, but by his own admission he isn't a

Let''s say you want to validate that an attribute contains only 2-10 lowercase characters, e.g. with validates_format_of. The appropriate regex is obviously /^[a-z]{2,10}$/, right? Wrong! Try it with "abc\nANYTHING YOU LIKE" - this is perfectly valid. On the second look the reason is clear: ^ matches the start of a line, $ matches the end of a line. So as long as one line in

This has been in the news lately, so I wrote up an article about a method I use to protect my app against XSS attacks. It''s easy to use if you don''t care how it works, and I go through some of the metaprogramming techniques I used if you do. Check it out: http://blog.explorationage.com/articles/2006/01/25/how-to-protect-your-rails-apps-against-cross-site-scripting-attacks

It''s really confusing to decide whether sanitize will help avoid XSS in case when :attributes => %w( style ) on stackoverflow, people say that it is not safe, yet the examples they give such as style="background-image: url(javascript:[code]);" is being filtered out using sanitize and all that is left is style="" is there a way to get a definite answer if