similar to: Sanitize for style attributes

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

Hi, I''m on Rails 3.2.8 and one of my apps sends some json to create DB objects. What''s the best way to sanitize json? I found this post claiming that for json we need to escape manually since json_escape is broken: http://blog.bigbinary.com/2012/05/10/xss-and-rails.html I tried using the sanitize gem (https://github.com/rgrove/sanitize/) but when using it on a json string it

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

Wonder if it is intended behaviour that sanitize removes a style like "margin:-3px".

I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

loofah version 0.3.1 has been released! * <http://loofah.rubyforge.org> * <http://rubyforge.org/projects/loofah> * <http://github.com/flavorjones/loofah> Loofah is an HTML sanitizer. It will always fix broken markup, but can also sanitize unsafe tags in a few different ways, and transform the markup for storage or display. It''s built on top of Nokogiri and libxml2, so

The rubyonrails-security announcement for CVE-2012-3465 "XSS Vulnerability in strip_tags" mentions that a work around for earlier versions should be attached, but there''s none, only patches for 3.0 series and up. Is the work around available? If so, where can I get hold of it? Thanks in advance, Peter -- Posted via http://www.ruby-forum.com/. -- You received this message

Hi, I want to use the method sanitize() to clean up some user input before I save it to the db. sanitize() is a helper method, so it is only usable in templates, right? So how can I use helper methods in the controller, or why should I not? I could build a template like "<%=sanitize(input)-%>" and use render_to_string, but that seems pretty hackish. Or I could sanitize every

Hello, First sentence of sanitize() method doc says: "This sanitize helper will html encode all tags and strip all attributes that aren''t specifically allowed." But sanitize("<h1>foo</h1> <bar>should html encode</bar>") == "<h1>foo</h1> should html encode". Shouldn''t it html encode <bar> to

I woud like to sanitize attributes (with ''sanitize" gem) but unless the model is being saved by admin. (Suppose this model doesn''t have any relationship with user model) # In model.rb: :before_save set_html_plain def set_html_plain self.body = Sanitize.clean(self.body) end Two questions: 1) How can I check here if saving process has been initialized by

i found the following functions or method to escape HTML, URL params, or Javascript data: <%= h @ha %> <%= sanitize @ha %> <%= u @ha %> <%= @ha.to_json %> <%= strip_tags @ha %> are they more functions or methods to do these things? and are there alternative ways to do that? thanks. -- Posted via http://www.ruby-forum.com/.

Hi, I am using clang++3.9 to build a simple program with both CFI and safe-stack. I am getting linker errors when combining -fsanitize=safe-stack, -fsanitize=cfi, and -fno-sanitize-trap=all. Combining safe-stack and CFI without -fno-sanitize-trap=all works as expected. It looks like clang is attempting to link in two compiler-rt libraries, one for ubsan and one for safestack, and this causes

I have an application where I am allowing users to upload (or refer the app. to) arbritrary HTML that I am (currently) displaying in an IFRAME on a page. The users will be authenticated so it''s not open to the entire universe. I was always uneasy with this, but after reading the security chapter of AWDWR, I am even more concerned. What kinds of applications do people have out there

Hi, I have some html pages that are saved in DB and which require anchors for quickly jumping inside the page. People can edit the page manually, so in order to keep things clean I use Rails sanitize method to clean the html before output. The problem is that it is stripping my anchors. e.g: <h2 id=''team''>Our Team</h2> becomes <h2>Our Team</h2> How can

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that

How can I html-escape an input fieldin my form ? I cannot use them directly h(f.text_field ''name'', :size => 30 %) or sanitize(f.text_field ''name'', :size => 30 %) are incorrect.... <% form_remote_for :property, @property, :url => {:action => @action, :id => @property }, :loading =>

Hi all, Somewhat of a noob here. I have a table that has 5 file fields, and they are named file, file2, file3, file4, file 5. All of them will be .doc files. In firefox, I can upload these files just fine, and they will show up as Document.doc. In IE, it prepends the entire path. C:\My Documents\User\Desktop\Document.doc Which makes the file unreadable, and un-downloadable. I know that the

On Mon, Nov 17, 2014 at 05:17:18PM +0800, Jason Wang wrote: > This patch tries to detect the possible buggy features advertised by host > and sanitize them. One example is booting virtio-net with only ctrl_vq > disabled, qemu may still advertise many features which depends on it. This > will trigger several BUG()s in virtnet_send_command(). > > This patch utilizes the