Opened 11 years ago

Closed 11 years ago

#635 closed defect (fixed)

Patch to fix further XSS holes, and nicer cleaning of tags where some are suitable

Reported by: Thomas Wood Owned by: Tom Hughes
Priority: major Milestone:
Component: website Version:
Keywords: xss Cc:

Description

Fixes two further XSS holes (in/outboxes) and uses the Rails 2 sanitize function to filter out nasty js based on a whitelist approach. (also handles javascript: links well)

Attachments (1)

xss_fixes.patch (3.7 KB) - added by Thomas Wood 11 years ago.

Download all attachments as: .zip

Change History (7)

Changed 11 years ago by Thomas Wood

Attachment: xss_fixes.patch added

comment:1 Changed 11 years ago by Thomas Wood

(has been applied to and tested at http://osm.ge.pythonmoo.co.uk/user/admin/diary)

comment:2 Changed 11 years ago by Tom Hughes

I actually thought older versions of rails had that stuff as well as I'm sure I looked at it. I can't see it now though. My main concern about using that stuff was all the warning notices plastered across it about it using a heuristic scanner and there being a risk of it missing things.

comment:3 Changed 11 years ago by Tom Hughes

Priority: blockermajor

comment:4 Changed 11 years ago by Tom Hughes

Yep - the rails book confirms that the sanitize method has always existed, it is just that it used to be blacklist based and only removed a few really had things (script and form tags, javascript links etc) and now it is whitelist based which is a bit better though it is still reliant on the HTML scanner's ability to find the tags.

comment:5 Changed 11 years ago by Thomas Wood

Yet it is still better than the current no formatting at all method.

Although it may not catch 100%, (although from my interpretation of the docs, it has improved by a great deal with 2), it will catch the majority - I'm sure that with more rails updates, it will improve as rails does.

comment:6 Changed 11 years ago by Tom Hughes

Resolution: fixed
Status: newclosed

Applied. I've also added an auto_link() call to linkify any links which the user didn't tag.

Note: See TracTickets for help on using tickets.