emk / safe_erb
watch download tarball
public
Forks3Right
Watchers19Right
Description: Automatically detect improperly escaped text in ERB templates
Homepage: http://wiki.rubyonrails.com/rails/pages/Safe+ERB
Clone URL: git://github.com/emk/safe_erb.git
name age
history
message
file .gitignore Sun Dec 21 11:16:53 -0800 2008 Rename README to README.rdoc for github [emk]
file MIT-LICENSE Wed Aug 20 13:43:45 -0700 2008 initial commit [Matthew Bass]
file README.rdoc Sun Dec 21 11:16:53 -0800 2008 Rename README to README.rdoc for github [emk]
file Rakefile Sun Dec 21 11:16:53 -0800 2008 Rename README to README.rdoc for github [emk]
directory lib/ Sun Dec 21 08:15:32 -0800 2008 Add declarative untaint_result helper This can... [emk]
directory rails/ Tue Dec 16 16:37:38 -0800 2008 Move init.rb into Rails directory This will ev... [emk]
file safe_erb.gemspec Sat Dec 20 14:10:22 -0800 2008 Only apply safe_erb to ActionView::Renderable ... [emk]
directory test/ Sun Dec 21 08:15:32 -0800 2008 Add declarative untaint_result helper This can... [emk]
README.rdoc

Safe ERB

Overview

Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.

The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.

About this version of Safe ERB

This fork of Safe ERB has been modified to work with Mephisto under Rails 2.2. It may work with other Rails applications. Patches are welcome!

Installation

Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.

This version of Safe ERB has been tested with Mephisto under Rails 2.2. It has been tested with SQLite3, and there’s a decent chance it should work with PostgreSQL and MySQL (and any other database which properly taints the data returned from the database).

Details

The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.

The returned values from the following methods become untainted:

  • ERB::Util#h
  • ActionView::Helpers::TagHelper#escape
  • ActionView::Helpers::TextHelper#strip_tags

Also, you can always untaint any string manually by calling "untaint" method (standard Ruby feature).

Several ActionView helpers have also been modified to untaint their return values. This is a temporary measure to get things working with Mephisto. See the source for details.

Contact

The orignal safe_erb plugin was written by Shinya Kasatani <kasatani at gmail.com>.

This forked version was written by Eric Kidd, based on work by Matthew Bass.