Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 344
- Log:
Massive changeset which brings the old, ROOL customised Instiki
version up to date, but without any ROOL customisations in this
latest checked-in version (which is 0.19.1). This is deliberate,
so that it's easy to see the changes made for the ROOL version
in a subsequent changeset. The 'app/views/shared' directory is not
part of Instiki but is kept to maintain the change history with
updated ROOL customisations, some of which involve the same files
in that same directory.
- Author:
- rool
- Date:
- Sat Mar 19 19:52:13 +0000 2011
- Size:
- 3175 Bytes
| 1 | RailsXss |
| 2 | ======== |
| 3 | |
| 4 | This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0. |
| 5 | |
| 6 | Strings now have a notion of "html safe", which is false by default. Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first. |
| 7 | |
| 8 | All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified. If you have your own helpers which return strings you *know* are safe, you will need to explicitly tell rails that they're safe. For an example, take the following helper. |
| 9 | |
| 10 | |
| 11 | def some_helper |
| 12 | (1..5).map do |i| |
| 13 | "<li>#{i}</li>" |
| 14 | end.join("\n") |
| 15 | end |
| 16 | |
| 17 | With this plugin installed, the html will be escaped. So you will need to do one of the following: |
| 18 | |
| 19 | 1) Use the raw helper in your template. raw will ensure that your string is copied verbatim into the response body. |
| 20 | |
| 21 | <%= raw some_helper %> |
| 22 | |
| 23 | 2) Mark the string as safe in the helper itself: |
| 24 | |
| 25 | def some_helper |
| 26 | (1..5).map do |i| |
| 27 | "<li>#{i}</li>" |
| 28 | end.join("\n").html_safe |
| 29 | end |
| 30 | |
| 31 | 3) Use the safe_helper meta programming method: |
| 32 | |
| 33 | module ApplicationHelper |
| 34 | def some_helper |
| 35 | #... |
| 36 | end |
| 37 | safe_helper :some_helper |
| 38 | end |
| 39 | |
| 40 | Example |
| 41 | ------- |
| 42 | |
| 43 | BEFORE: |
| 44 | |
| 45 | <%= params[:own_me] %> => XSS attack |
| 46 | <%=h params[:own_me] %> => No XSS |
| 47 | <%= @blog_post.content %> => Displays the HTML |
| 48 | |
| 49 | AFTER: |
| 50 | |
| 51 | <%= params[:own_me] %> => No XSS |
| 52 | <%=h params[:own_me] %> => No XSS (same result) |
| 53 | <%= @blog_post.content %> => *escapes* the HTML |
| 54 | <%= raw @blog_post.content %> => Displays the HTML |
| 55 | |
| 56 | |
| 57 | Gotchas |
| 58 | --- |
| 59 | |
| 60 | #### textilize and simple_format do *not* return safe strings |
| 61 | |
| 62 | Both these methods support arbitrary HTML and are *not* safe to embed directly in your document. You'll need to do something like: |
| 63 | |
| 64 | <%= sanitize(textilize(@blog_post.content_textile)) %> |
| 65 | |
| 66 | #### Safe strings aren't magic. |
| 67 | |
| 68 | Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+. All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like |
| 69 | |
| 70 | value = something_safe |
| 71 | value.gsub!(/a/, params[:own_me]) |
| 72 | |
| 73 | Don't do that. |
| 74 | |
| 75 | #### String interpolation won't be safe, even when it 'should' be |
| 76 | |
| 77 | value = "#{something_safe}#{something_else_safe}" |
| 78 | value.html_safe? # => false |
| 79 | |
| 80 | This is intended functionality and can't be fixed. |
| 81 | |
| 82 | Getting Started |
| 83 | =============== |
| 84 | |
| 85 | 1. Install rails 2.3.8 or higher, or freeze rails from 2-3-stable. |
| 86 | 2. Install erubis (gem install erubis) |
| 87 | 3. Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git) |
| 88 | 4. Report anything that breaks. |
| 89 | |
| 90 | Copyright (c) 2009 Koziarski Software Ltd, released under the MIT license. For full details see MIT-LICENSE included in this distribution. |
