similar to: Article about protecting Rails apps from XSS attacks

This has been in the news lately, so I wrote up an article about a method I use to protect my app against XSS attacks. It''s easy to use if you don''t care how it works, and I go through some of the metaprogramming techniques I used if you do. Check it out: http://blog.explorationage.com/articles/2006/01/25/how-to-protect-your-rails-apps-against-cross-site-scripting-attacks

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

Bob Hoffman wrote: > Since each install uses the same pages basically, it is easy for a autobot > to find them all and zero day your forums, xss your whatever, and so on. > > Dang scary to leave JS on at all....even though you basically have too. Mozilla is beginning to address this issue with Content Security Policy -=-

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

The rubyonrails-security announcement for CVE-2012-3465 "XSS Vulnerability in strip_tags" mentions that a work around for earlier versions should be attached, but there''s none, only patches for 3.0 series and up. Is the work around available? If so, where can I get hold of it? Thanks in advance, Peter -- Posted via http://www.ruby-forum.com/. -- You received this message

We''re working on a new series of applications called "RealApps" - simple plugins and components add functionality to Rails applications. We just posted an article describing the first one - a content management system. We also go into the business case behind the design we chose. Good stuff for programmers to know - especially if you are doing paid client work. It

Hello, What is the best way to protect multiuser systems from brute force attacks? I am setting up a relatively loose DenyHosts policy, but I like the idea of locking an account for a time if too many attempts are made, but to balance this with keeping the user from making a helpdesk call. What are some policies/techniques that have worked for this list with minimal hassle? Thanks! -Eugene

Welcome to the first Puppet Dashboard maintenance release of the new year. This release includes a security update to address CVE-2012-0891, a XSS vulnerability discovered by David Dasz <david@dasz.at>. We have classified the risk from this exposure as moderate. All Puppet Dashboard users are encouraged to upgrade when possible. Puppet Enterprise users should visit

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

I''m pleased to announce the release of Cross Site Sniper 0.2. Cross Site Sniper is one more addition to the ever growing list of tools that attempt to provide a convenient and DRY method to protect Rails sites from Cross Site Scripting (XSS) attacks. There are many plugins and tools out there that attempt to address this issue, but none of them met my requirements. So, I created

On Sat, Jun 10, 2062 at 01:16:03PM -0600, jd1008 wrote: > On 06/12/2015 01:01 PM, Gordon Messmer wrote: > >As far as cookies go, you're even further from the truth. A script can > >only access cookies whose domain matches the origin of the script. > > Your final line is not true. Its technically true, however, XSS attacks can get around that restriction, which is why

After reading this security bulletin: http://groups.google.com/group/rubyonrails-security/msg/7f57cd7794e1d1b4?pli=1 I am a bit confused as to which patch I should apply. My application is currently running on a frozen copy of Rails 2.2.2. Reading the bulletin it appears that I should instead the 2-2-CVE-2009-3009.patch for the "2.2 series" of Rails. However, the patch introduces a

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

http://httpd.apache.org/security/vulnerabilities_20.html states that Apache 2.0.52 is 4 years old and the latest version is 2.0.68. i am no longer a httpd expert, but at least one of the security fixes involves XSS attacks via malformed ftp commands. I also realize that redhat / centos may patch things separately from Apache and that the sysadmin has a great deal to do with how secure things

Not a biggie, but definitely annoying: I try to register for a media site, so I can put in a comment, and every time I hit "register", noscript pops up telling me it's protecting me from cross-site scripting... and if it's giving me any way to say, "that's ok for this site", I don't see it. I've tried typing in a pattern for xss, and no joy. Clues for the

Let''s say you want to validate that an attribute contains only 2-10 lowercase characters, e.g. with validates_format_of. The appropriate regex is obviously /^[a-z]{2,10}$/, right? Wrong! Try it with "abc\nANYTHING YOU LIKE" - this is perfectly valid. On the second look the reason is clear: ^ matches the start of a line, $ matches the end of a line. So as long as one line in

Sometimes in huge call volume am facing this type of error, [Jun 4 08:42:46] WARNING[8459][C-000079fa]: channel.c:5075 ast_write: Codec mismatch on channel Local/8038 at xss-call-out-00004774;1 setting write format to slin from ulaw native formats (ulaw) [Jun 4 08:43:04] WARNING[8285][C-000079da]: channel.c:5075 ast_write: Codec mismatch on channel Local/6513 at xss-call-out-00004775;1 setting

Hello, My team and I have recently published an LLVM-based tool at “Cryptography and Security in Computing Systems 2016” (CS2), and we would like to add it on the list of LLVM related publications. The goal of our tool is to automatically protect the code being compiled against fault injection attacks *Title:* Compilation of a Countermeasure Against Instruction-Skip Fault Attacks Available

Chris Lattner <clattner at apple.com> writes: > The problem that I have with this sort of higher order metaprogramming Metaprogramming? This isn't template metaprogramming if that's what you mean. > in C++'98 is that you're trading one set of complexity for another. What's the other complexity? -Dave