Displaying 20 results from an estimated 5000 matches similar to: "Security - How to sanizitize JSON?"
2012 Dec 12
0
Sanitize for style attributes
It''s really confusing to decide whether sanitize will help avoid XSS in
case when :attributes => %w( style )
on stackoverflow, people say that it is not safe, yet the examples they
give such as
style="background-image: url(javascript:[code]);"
is being filtered out using sanitize and all that is left is style=""
is there a way to get a definite answer if
2010 Mar 31
1
[PATCH] Upgrading the server to work with Rails 2.3.4.
Signed-off-by: Darryl L. Pierce <dpierce at redhat.com>
---
src/app/controllers/application_controller.rb | 2 +-
src/config/environment.rb | 2 +-
src/config/initializers/new_rails_defaults.rb | 6 +++++-
3 files changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/app/controllers/application_controller.rb b/src/app/controllers/application_controller.rb
2006 May 11
3
sanitize dangers
I''ve noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS. For example:
sanitize( "<style
type=''text/css''>body{background-image:url(''javascript:window.alert(1)'')
}</style>" )
IE will execute the javascript. Firefox will not. I haven''t tried it
with any other browsers.
2006 May 05
4
Is sanitize() strong enough to protect me from XSS?
Haven''t been able to find a good enough answer on whether using
sanitize() is enough to really protect me from XSS attacks
I basically have a blog page that I want to allow people to display
comments on but would like to allow html tags to be posted on the
comments, these could html tags like the imageshack img tags, youtube
player, photobucket img tags etc
any other approaches or
2008 Apr 25
2
json => hash in Ruby
Hi everyone,
I would like to decode a json string and transform it into a hash in
ruby.
I tried
json = "{\"userid\" : \"21\", \"friendid\" : \"9\"}"
hash = ActiveSupport::JSON.decode(json)
puts hash[:userid]
however, this gives NIL back. How do I have to do this?
Thanks for any help!
--~--~---------~--~----~------------~-------~--~----~
You
2006 May 14
0
Beware of HashWithIndifferentAccess#symbolize_keys!
Hi,
I just posted a patch tot he rails trac for a bug we found where
running symbolize_keys! on a HashWithIndifferentAccess will delete all
items from the hash. Please make sure you either never call
symbolize_keys! (or to_options! which just alias it) on a
HashWithIndifferentAccess, or apply the path attached from the ticket
at: http://dev.rubyonrails.org/ticket/5076
I also posted a much longer
2006 Jan 09
3
XSS prevention with Rails
Hi!
I wanna take a stab at implementing better XSS prevention for Rails.
This time for real =)
I''m wondering what would be the better way, clean everything up with
tidy first and then do the rest with regexp or regexp all the way?
Anybody done this before?
Thanks!
Ciao!
Florian
2006 Oct 16
3
Saving many_to_many
Ahoy, i''m trying to save a many to many between "talent" and "vital
stat"
talent_controller.rb
def edit
@talent = Talent.find(params[:id], :include => [:talent_type,
:vital_stats])
@talent_types = TalentType.find_all
@vital_stats = VitalStat.find_all
if request.post?
@talent.attributes = params[:talent]
@talent.attributes =
2008 Jan 21
1
specin'' update_attributes! + Hash
Hi,
I am facing a problem while trying to test a method that updates an
attribute. The attribute format should be converted to YAML format
before storing in the table which is excatly what is going on. But when
testing it using expectations in rspec it returns an error.
*** below is the error message :
Spec::Mocks::MockExpectationError in ''InteractController (submit) -
saving a form to
2006 Apr 18
4
Security considerations with displaying uploaded HTML
I have an application where I am allowing users to upload (or refer the
app. to) arbritrary HTML that I am (currently) displaying in an IFRAME
on a page. The users will be authenticated so it''s not open to the
entire universe.
I was always uneasy with this, but after reading the security chapter of
AWDWR, I am even more concerned.
What kinds of applications do people have out there
2013 Jun 04
0
Codec Mismatch
Sometimes in huge call volume am facing this type of error,
[Jun 4 08:42:46] WARNING[8459][C-000079fa]: channel.c:5075 ast_write:
Codec mismatch on channel Local/8038 at xss-call-out-00004774;1 setting write
format to slin from ulaw native formats (ulaw)
[Jun 4 08:43:04] WARNING[8285][C-000079da]: channel.c:5075 ast_write:
Codec mismatch on channel Local/6513 at xss-call-out-00004775;1 setting
2012 Jun 01
3
Serialized attribute saved as HashWithIndifferentAccess in database
My Booking model has: serialize :custom_data, Hash
From the console it works as expected saving values to the custom_data
attribute.
But when having a form with parameters like
this: booking[custom_data][hello] and creating a new object in the
controller like this: Booking.new( params[:booking] ), values are saved in
the database with added metadata like this: ---
2006 Jul 08
2
Creating/Saving dependent objects
Folks,
Am new to RoR and am building an example to get myself familiar. I am
running into a simple issue while creating a user registration page.
I have a User and Address models defined as below (partial/relevant code
included below). User has_one address and Address belongs_to user. I have a
foreign key defined in address table that refers to user(id)
In a form I take in username, password,
2009 Oct 13
1
loofah 0.3.1 Released
loofah version 0.3.1 has been released!
* <http://loofah.rubyforge.org>
* <http://rubyforge.org/projects/loofah>
* <http://github.com/flavorjones/loofah>
Loofah is an HTML sanitizer. It will always fix broken markup, but
can also sanitize unsafe tags in a few different ways, and transform
the markup for storage or display.
It''s built on top of Nokogiri and libxml2, so
2005 May 13
5
HTML sanitizer
Hello!
Does anybody know of a Ruby implementation of a HTML sanitizer that
prevents the attacks described on the xss cheatsheet?
(http://ha.ckers.org/xss.html)
I checked out the version Jamis wrote
(http://dev.rubyonrails.com/ticket/1277), but that only covers the
very basic attacks.
Anybody? Just figured I would ask before, before I reinvent the wheel..
Ciao!
Florian
2009 Jun 04
0
XSS (was Re: Centos 5.3 -> Apache - Under Attack ? Oh hell....)
Bob Hoffman wrote:
> Since each install uses the same pages basically, it is easy for a
autobot
> to find them all and zero day your forums, xss your whatever, and so on.
>
> Dang scary to leave JS on at all....even though you basically have too.
Mozilla is beginning to address this issue with Content Security Policy
-=-
2005 Dec 03
1
typecasting HashWithIndifferentAccess
I want to typecast an object of HashWithIndifferentAccess (params) to Hash.
Whats the way of doing this (except each?)
Thanks in advance.
_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails
2010 Feb 02
0
[Security] Loofah has an HTML injection / XSS vulnerability, please upgrade to 0.4.6
Synopsis
----------
Loofah::HTML::Document#text emits unencoded HTML entities prior to
0.4.6. This was originally by design, since the output of #text is
intended to be used in a non-HTML context (such as generation of
human-readable text documents).
However, Loofah::XssFoliate''s default behavior and
Loofah::Helpers#strip_tags
both use #text to strip tags out of the output, meaning that
2008 Jan 31
0
Cross Site Sniper 0.2 (stable)
I''m pleased to announce the release of Cross Site Sniper 0.2.
Cross Site Sniper is one more addition to the ever growing list of tools
that attempt to provide a convenient and DRY method to protect Rails
sites from Cross Site Scripting (XSS) attacks. There are many plugins
and tools out there that attempt to address this issue, but none of them
met my requirements. So, I created
2015 Jun 12
0
C5 : Firefox 38 bug
On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote:
> On 06/12/2015 01:01 PM, Gordon Messmer wrote:
> >As far as cookies go, you're even further from the truth. A script can
> >only access cookies whose domain matches the origin of the script.
>
> Your final line is not true.
Its technically true, however, XSS attacks can get around that
restriction, which is why