similar to: Security - How to sanizitize JSON?

It''s really confusing to decide whether sanitize will help avoid XSS in case when :attributes => %w( style ) on stackoverflow, people say that it is not safe, yet the examples they give such as style="background-image: url(javascript:[code]);" is being filtered out using sanitize and all that is left is style="" is there a way to get a definite answer if

Signed-off-by: Darryl L. Pierce <dpierce at redhat.com> --- src/app/controllers/application_controller.rb | 2 +- src/config/environment.rb | 2 +- src/config/initializers/new_rails_defaults.rb | 6 +++++- 3 files changed, 7 insertions(+), 3 deletions(-) diff --git a/src/app/controllers/application_controller.rb b/src/app/controllers/application_controller.rb

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

Hi everyone, I would like to decode a json string and transform it into a hash in ruby. I tried json = "{\"userid\" : \"21\", \"friendid\" : \"9\"}" hash = ActiveSupport::JSON.decode(json) puts hash[:userid] however, this gives NIL back. How do I have to do this? Thanks for any help! --~--~---------~--~----~------------~-------~--~----~ You

Hi, I just posted a patch tot he rails trac for a bug we found where running symbolize_keys! on a HashWithIndifferentAccess will delete all items from the hash. Please make sure you either never call symbolize_keys! (or to_options! which just alias it) on a HashWithIndifferentAccess, or apply the path attached from the ticket at: http://dev.rubyonrails.org/ticket/5076 I also posted a much longer

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Ahoy, i''m trying to save a many to many between "talent" and "vital stat" talent_controller.rb def edit @talent = Talent.find(params[:id], :include => [:talent_type, :vital_stats]) @talent_types = TalentType.find_all @vital_stats = VitalStat.find_all if request.post? @talent.attributes = params[:talent] @talent.attributes =

Hi, I am facing a problem while trying to test a method that updates an attribute. The attribute format should be converted to YAML format before storing in the table which is excatly what is going on. But when testing it using expectations in rspec it returns an error. *** below is the error message : Spec::Mocks::MockExpectationError in ''InteractController (submit) - saving a form to

I have an application where I am allowing users to upload (or refer the app. to) arbritrary HTML that I am (currently) displaying in an IFRAME on a page. The users will be authenticated so it''s not open to the entire universe. I was always uneasy with this, but after reading the security chapter of AWDWR, I am even more concerned. What kinds of applications do people have out there

Sometimes in huge call volume am facing this type of error, [Jun 4 08:42:46] WARNING[8459][C-000079fa]: channel.c:5075 ast_write: Codec mismatch on channel Local/8038 at xss-call-out-00004774;1 setting write format to slin from ulaw native formats (ulaw) [Jun 4 08:43:04] WARNING[8285][C-000079da]: channel.c:5075 ast_write: Codec mismatch on channel Local/6513 at xss-call-out-00004775;1 setting

My Booking model has: serialize :custom_data, Hash From the console it works as expected saving values to the custom_data attribute. But when having a form with parameters like this: booking[custom_data][hello] and creating a new object in the controller like this: Booking.new( params[:booking] ), values are saved in the database with added metadata like this: ---

Folks, Am new to RoR and am building an example to get myself familiar. I am running into a simple issue while creating a user registration page. I have a User and Address models defined as below (partial/relevant code included below). User has_one address and Address belongs_to user. I have a foreign key defined in address table that refers to user(id) In a form I take in username, password,

loofah version 0.3.1 has been released! * <http://loofah.rubyforge.org> * <http://rubyforge.org/projects/loofah> * <http://github.com/flavorjones/loofah> Loofah is an HTML sanitizer. It will always fix broken markup, but can also sanitize unsafe tags in a few different ways, and transform the markup for storage or display. It''s built on top of Nokogiri and libxml2, so

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

Bob Hoffman wrote: > Since each install uses the same pages basically, it is easy for a autobot > to find them all and zero day your forums, xss your whatever, and so on. > > Dang scary to leave JS on at all....even though you basically have too. Mozilla is beginning to address this issue with Content Security Policy -=-

I want to typecast an object of HashWithIndifferentAccess (params) to Hash. Whats the way of doing this (except each?) Thanks in advance. _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that

I''m pleased to announce the release of Cross Site Sniper 0.2. Cross Site Sniper is one more addition to the ever growing list of tools that attempt to provide a convenient and DRY method to protect Rails sites from Cross Site Scripting (XSS) attacks. There are many plugins and tools out there that attempt to address this issue, but none of them met my requirements. So, I created

On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote: > On 06/12/2015 01:01 PM, Gordon Messmer wrote: > >As far as cookies go, you're even further from the truth. A script can > >only access cookies whose domain matches the origin of the script. > > Your final line is not true. Its technically true, however, XSS attacks can get around that restriction, which is why