You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Jul 24, 2021. It is now read-only.
Reporter: grand.edgemaster[at]gmail.com [Submitted to the original trac issue database at 10.25am, Tuesday, 15th January 2008]
Fixes two further XSS holes (in/outboxes) and uses the Rails 2 sanitize function to filter out nasty js based on a whitelist approach. (also handles javascript: links well)
The text was updated successfully, but these errors were encountered:
Author: tom[at]compton.nu [Added to the original trac issue at 6.17pm, Tuesday, 15th January 2008]
I actually thought older versions of rails had that stuff as well as I'm sure I looked at it. I can't see it now though. My main concern about using that stuff was all the warning notices plastered across it about it using a heuristic scanner and there being a risk of it missing things.
Author: tom[at]compton.nu [Added to the original trac issue at 6.20pm, Tuesday, 15th January 2008]
Yep - the rails book confirms that the sanitize method has always existed, it is just that it used to be blacklist based and only removed a few really had things (script and form tags, javascript links etc) and now it is whitelist based which is a bit better though it is still reliant on the HTML scanner's ability to find the tags.
Author: grand.edgemaster[at]gmail.com [Added to the original trac issue at 6.24pm, Tuesday, 15th January 2008]
Yet it is still better than the current no formatting at all method.
Although it may not catch 100%, (although from my interpretation of the docs, it has improved by a great deal with 2), it will catch the majority - I'm sure that with more rails updates, it will improve as rails does.
Reporter: grand.edgemaster[at]gmail.com
[Submitted to the original trac issue database at 10.25am, Tuesday, 15th January 2008]
Fixes two further XSS holes (in/outboxes) and uses the Rails 2 sanitize function to filter out nasty js based on a whitelist approach. (also handles javascript: links well)
The text was updated successfully, but these errors were encountered: