similar to: sanitize removes negative value in style

It''s really confusing to decide whether sanitize will help avoid XSS in case when :attributes => %w( style ) on stackoverflow, people say that it is not safe, yet the examples they give such as style="background-image: url(javascript:[code]);" is being filtered out using sanitize and all that is left is style="" is there a way to get a definite answer if

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

Hi, I want to use the method sanitize() to clean up some user input before I save it to the db. sanitize() is a helper method, so it is only usable in templates, right? So how can I use helper methods in the controller, or why should I not? I could build a template like "<%=sanitize(input)-%>" and use render_to_string, but that seems pretty hackish. Or I could sanitize every

Hello, First sentence of sanitize() method doc says: "This sanitize helper will html encode all tags and strip all attributes that aren''t specifically allowed." But sanitize("<h1>foo</h1> <bar>should html encode</bar>") == "<h1>foo</h1> should html encode". Shouldn''t it html encode <bar> to

I woud like to sanitize attributes (with ''sanitize" gem) but unless the model is being saved by admin. (Suppose this model doesn''t have any relationship with user model) # In model.rb: :before_save set_html_plain def set_html_plain self.body = Sanitize.clean(self.body) end Two questions: 1) How can I check here if saving process has been initialized by

Hi, I have a script that throws an error in prototype.js on line 1889. Its just started showing...it''s not breaking my app at all just showing the error. I can''t track back to where it started happening though. It''s this line. var value = element.style[style]; Has anyone encountered this before....do yiou have any hints on how to track this bug down?

Hi. I get the following error off and on in my app. I''m running latest EdgeRails in development mode, and use the tzinfo_timezone plugin and the tzinfo 0.3.3 gem. I''ve checked line 210 in tzinfo_timezone.rb but cannot relate that to an object modification in tzinfo. Any tips much appreciated. ActionView::TemplateError (can''t modify frozen object) on line #29 of

Hi, I am using clang++3.9 to build a simple program with both CFI and safe-stack. I am getting linker errors when combining -fsanitize=safe-stack, -fsanitize=cfi, and -fno-sanitize-trap=all. Combining safe-stack and CFI without -fno-sanitize-trap=all works as expected. It looks like clang is attempting to link in two compiler-rt libraries, one for ubsan and one for safestack, and this causes

Hi, I have some html pages that are saved in DB and which require anchors for quickly jumping inside the page. People can edit the page manually, so in order to keep things clean I use Rails sanitize method to clean the html before output. The problem is that it is stripping my anchors. e.g: <h2 id=''team''>Our Team</h2> becomes <h2>Our Team</h2> How can

I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

i found the following functions or method to escape HTML, URL params, or Javascript data: <%= h @ha %> <%= sanitize @ha %> <%= u @ha %> <%= @ha.to_json %> <%= strip_tags @ha %> are they more functions or methods to do these things? and are there alternative ways to do that? thanks. -- Posted via http://www.ruby-forum.com/.

How can I html-escape an input fieldin my form ? I cannot use them directly h(f.text_field ''name'', :size => 30 %) or sanitize(f.text_field ''name'', :size => 30 %) are incorrect.... <% form_remote_for :property, @property, :url => {:action => @action, :id => @property }, :loading =>

Hi all, Somewhat of a noob here. I have a table that has 5 file fields, and they are named file, file2, file3, file4, file 5. All of them will be .doc files. In firefox, I can upload these files just fine, and they will show up as Document.doc. In IE, it prepends the entire path. C:\My Documents\User\Desktop\Document.doc Which makes the file unreadable, and un-downloadable. I know that the

On Mon, Nov 17, 2014 at 05:17:18PM +0800, Jason Wang wrote: > This patch tries to detect the possible buggy features advertised by host > and sanitize them. One example is booting virtio-net with only ctrl_vq > disabled, qemu may still advertise many features which depends on it. This > will trigger several BUG()s in virtnet_send_command(). > > This patch utilizes the

Hullo, fellow Railsers! (warning: this isn''t a 100% Rails specific question, but I guess it very much applies to what a lot of us are currently doing.) For a project that involves messageboard functionality I''m looking for a good way of sanitizing user input, so the silly fools, err, my wonderful users don''t mess things up too much. I''ve played around with

Hi,all I want to get a relatively accurate cpu usage of a domain. I have a few questions about virDomainGetInfo: struct virDomainInfo{ unsigned char state : //the running state, one of virDomainState unsigned long maxMem :// the maximum memory in KBytes allowed unsigned long memory :// the memory in KBytes used by the domain unsigned short nrVirtCpu :// the number of virtual CPUs for the

As shown in the previous patch, plugins may choose to use stdin or stdout during .config. But from .get_ready onwards, well-written plugins shouldn't be needing any further use of stdin/out. We already swapped stdin/out to /dev/null while daemonizing, but did not do do during -f or --run, which leads to some surprising inconsistency when trying to debug a plugin that works in the foreground

This patch tries to detect the possible buggy features advertised by host and sanitize them. One example is booting virtio-net with only ctrl_vq disabled, qemu may still advertise many features which depends on it. This will trigger several BUG()s in virtnet_send_command(). This patch utilizes the sanitize_features() method, and disables all features that depends on ctrl_vq if it was not

This patch tries to detect the possible buggy features advertised by host and sanitize them. One example is booting virtio-net with only ctrl_vq disabled, qemu may still advertise many features which depends on it. This will trigger several BUG()s in virtnet_send_command(). This patch utilizes the sanitize_features() method, and disables all features that depends on ctrl_vq if it was not