Safe ERB lets you make sure that the string written by <%= %> in
your erb template is escaped correctly. If you try to show the
attributes in the ActiveRecord instance read from the database or the
parameters received from the request without escaping them using h
method, an exception will be raised. This will significantly reduce
the possibility of putting cross-site scripting vulnerability into
your web application.
The check is done using tainted? method in Object class which is a
standard feature provided by Ruby. The string is tainted when it is
read from IO. When ERB::Util#h method is called, this plugin
untaints the string, and when <%= %> is called in your html
template, it raises an exception if the string you are trying to show
is tainted.
You can grab Safe ERB from github and put it in vendor/plugins, or
just run:
script/plugin install git://github.com/abedra/safe-erbSafe ERB works on Rails 2.0.x, 2.1.x, 2.2.x, and 2.3.x. It has been tested using following database libraries:
- PostgreSQL (postgres-0.7.1 gem)
- MySQL (mysql-2.7 gem)
It does NOT work properly on SQLite (because the data read from SQLite driver is not tainted).
The string becomes tainted when it is read from IO, such as the data
read from the DB or HTTP request. However, the request parameters are
not tainted in functional and integration tests, and also if your
server is Mongrel. Hence this plugin installs before_filter into
ActionController::Base that always taints request parameters and
cookies.
The returned values from the following methods become untainted:
ERB::Util#hActionView::Helpers::TagHelper#escapeActionView::Helpers::TextHelper#strip_tags
Also, you can always untaint any string manually by calling untaint
method (standard Ruby feature).
Aaron Bedra
Shinya Kasatani