rails / rails_xss Goto Github PK

This project forked from nzkoz/rails_xss

A plugin for rails 2.3 apps which switches the default to escape by default

License: MIT License

Ruby 100.00%

rails_xss's Introduction

RailsXss

This plugin replaces the default ERB template handlers with erubis, and switches the behaviour to escape by default rather than requiring you to escape. This is consistent with the behaviour in Rails 3.0.

Strings now have a notion of "html safe", which is false by default. Whenever rails copies a string into the response body it checks whether or not the string is safe, safe strings are copied verbatim into the response body, but unsafe strings are escaped first.

All the XSS-proof helpers like link_to and form_tag now return safe strings, and will continue to work unmodified. If you have your own helpers which return strings you know are safe, you will need to explicitly tell rails that they're safe. For an example, take the following helper.

def some_helper
  (1..5).map do |i|
    "<li>#{i}</li>"
  end.join("\n")
end

With this plugin installed, the html will be escaped. So you will need to do one of the following:

Use the raw helper in your template. raw will ensure that your string is copied verbatim into the response body.

<%= raw some_helper %>
Mark the string as safe in the helper itself:

def some_helper (1..5).map do |i| "
#{i}

Use the safe_helper meta programming method (WARNING: This is not supported by Rails 3, so if you're planning to eventually upgrade your app this alternative is not recommended):

module ApplicationHelper def some_helper #... end safe_helper :some_helper # not supported by Rails 3 end

Example

BEFORE:

<%= params[:own_me] %>        => XSS attack
<%=h params[:own_me] %>       => No XSS
<%= @blog_post.content %>     => Displays the HTML

AFTER:

<%= params[:own_me] %>        => No XSS 
<%=h params[:own_me] %>       => No XSS (same result)
<%= @blog_post.content %>     => *escapes* the HTML
<%= raw @blog_post.content %> => Displays the HTML

Gotchas

textilize and simple_format do not return safe strings

Both these methods support arbitrary HTML and are not safe to embed directly in your document. You'll need to do something like:

<%= sanitize(textilize(@blog_post.content_textile)) %>

Safe strings aren't magic.

Once a string has been marked as safe, the only operations which will maintain that HTML safety are String#<<, String#concat and String#+. All other operations are safety ignorant so it's still probably possible to break your app if you're doing something like

value = something_safe
value.gsub!(/a/, params[:own_me])

Don't do that.

String interpolation won't be safe, even when it 'should' be

value = "#{something_safe}#{something_else_safe}"
value.html_safe? # => false

This is intended functionality and can't be fixed.

Getting Started

Install rails 2.3.8 or higher, or freeze rails from 2-3-stable.
Install erubis (gem install erubis)
Install this plugin (ruby script/plugin install git://github.com/rails/rails_xss.git)
Report anything that breaks.

rails_xss's People

Stargazers

Watchers

Forkers

ijudge spastorino joloudov mgiorgi marklazz phlipper ghazel weplay rlineweaver definitionstudio humagine simianarmy boone korny jingoro asmallworldsite nhuanvn shotgunsoftware isabella232

rails_xss's Issues

Feature request: "debug" mode that shows any 'auto-escaping'

When retrofitting an application with rails_xss, naturally the concern would be "over escaping" things to where they break. This is not rails_xss' fault, but rather the developer's fault for relying on unencoded values.

However, it would be nice to see a log message that says "hey, in case you were wondering, I had to apply automatic escaping to variable X"

This would leverage rails_xss' ability to not double-escape things that are already h()'d while providing information about what the implementer might want to unescape/refactor.

Link to more active fork

Hi guys, the guy who manages the rails_xss gem (https://github.com/joloudov/rails_xss) has a much more active repo, and we're about to open a Pull Request for more fixes (Array.join).

Rather than have this looking like the official repo which is outdated perhaps it could have a readme pointing to this guy or have him/myself added to this repo? or even rebase off this guy and if possible monitor PR's? something along the lines?

Note: Yes unfortunately we still need rails_xss this as we use Radiant which is on rails2 so we can't just upgrade to rails3 yet.

Using this with HAML instead of erubis

My bad I am retarded.

Behave more like rails 3

With rails_xss
foo.gsub! -> boom

Rails 3+
foo.gsub! -> only unsafe

so let's copy the code from rails 3 core ext and use this instead,
would you accept a pull request for this ?

text_field and password_field are escaped

When calling:

form_for do |f|
  f.text_field
end

The text field is escaped. check_box and label aren't escaped. This problem might be occurring on other helpers but so far I can't log into my app to check. :D

This was raised on NZKoz's version but I see that it abandoned.

SafeBuffer#gsub is broken

The latest patch breaks $-variable binding in the callback to gsub on SafeStrings:

before:
"a".html_safe.gsub(/(a)/) { $1 } == "a"
after:
"a".html_safe.gsub(/(a)/) { $1 } == ""

We noticed this because CGI::escape uses this behaviour, so if you pass a safe buffer as a URL argument to a url helper, you will get an exception, a snippet from our codebase:

link_to "Please log in", login_url(:return_to => url_for(params))

# The error occurred while evaluating nil.size
# /home/conrad/.rvm/rubies/ree-1.8.7-2011.03/lib/ruby/1.8/cgi.rb:343:in `escape'

This is because $ variables are bound in the scope of the immediate caller to String#gsub not in the scope of the block you pass in.

index.atom.builder escaping feed

Hi,

Using rails_xss and rails 2.3.11 it seems to be escaping all content produced in an index.atom.builder file, no amount of .html_safe and raw tags seem to save it :)

-- index.atom.builder

atom_feed(:url =>items_url(:format => :atom), :type => :html) do |feed|
  feed.title("Feed title")
  feed.updated(date)

  @collection.each do |item|
    feed.entry(trade, :url => ...) do |entry|
    ...
    end
  end
end

-- items.atom output exert (removing rails_xss produces correct unescaped values
<?xml version="1.0" encoding="UTF-8"?> <feed xml:lang="en-US" xmlns="http://www.w3.org/2005/Atom"> <id>tag:www.example.com,2005:/items</id> ... items escaped removed </feed>

Is there a way to avoid this? Or has anyone solved this?