look / xss_terminate

- 108
- 12

xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won‘t need to anymore. — Read more

Sort by: Priority | Votes | Last Updated

Loading…

2.

0 votes

xss_terminate get's applied to AR::Base, not the concrete models
2 comments Created about 1 month ago by jcoyne

Title

Body
If I have class A < ActiveRecord::Base xss_terminate end class B < ActiveRecord::Base end b = B.new() b.description = "<a href=\\"foo\\">bar</a>" b.save b.reload b.description => "bar"
or cancel

If I have
class A < ActiveRecord::Base
xss_terminate end

class B < ActiveRecord::Base
end

b = B.new()
b.description = "<a href=\"foo\">bar</a>"
b.save
b.reload
b.description
=> "bar"

Comments

jcoyne Fri Nov 13 07:41:14 -0800 2009 | link

Upon inspecting the code, it appears that this is the default behavior. All fields for all models are escaped.

Comment
Upon inspecting the code, it appears that this is the default behavior. All fields for all models are escaped.
or cancel

look Fri Nov 13 08:44:14 -0800 2009 | link

Correct, this is by design, so you have to opt-out of escaping instead of opting in, because if you forget you could be vulnerable.

If there is are fields you want no escaping for, you can use:

class B < ActiveRecord::Base
xss_terminate :except => [:field1, :field2]
end

I think there's a fork out there that adds the ability to except an entire class. That would be good to add :)

Comment
Correct, this is by design, so you have to opt-out of escaping instead of opting in, because if you forget you could be vulnerable. If there is are fields you want no escaping for, you can use: class B < ActiveRecord::Base xss_terminate :except => [:field1, :field2] end I think there's a fork out there that adds the ability to except an entire class. That would be good to add :)
or cancel

Parsed with GitHub Flavored Markdown
1.

0 votes

The server locks down at model.save
5 comments Created 8 months ago by dejanstrbac

Title

Body
I just installed the plugin, and without anything else configured, locks the application. In the debugger, I see its save that locks it. I am on 2.3.2 and don't have any other plugins except authlogic. when I delete the plugin everything works. Is it 2.3 compatible?
or cancel
I just installed the plugin, and without anything else configured, locks the application. In the debugger, I see its save that locks it. I am on 2.3.2 and don't have any other plugins except authlogic. when I delete the plugin everything works.

Is it 2.3 compatible?

Comments
gregf Sun Apr 19 17:18:11 -0700 2009 | link

I can't comment on the issue, but I can say I am using it on 2.3 just fine.

Comment
I can't comment on the issue, but I can say I am using it on 2.3 just fine.
or cancel

dejanstrbac Sun Apr 19 17:48:20 -0700 2009 | link

I got it. I am using authlogic, and the field crypted_password is a string (so are the tokens), which is hooked up with bcrypt => infinite loop. Hmm, just wondering, why did you avoid :only and :all? Its silly on some internal model, lets say in has_many :through, to do xss checks, and now its enabled by default on all models? Or am I getting it wrong? Thanx,
-D

Comment
I got it. I am using authlogic, and the field crypted_password is a string (so are the tokens), which is hooked up with bcrypt => infinite loop. Hmm, just wondering, why did you avoid :only and :all? Its silly on some internal model, lets say in has_many :through, to do xss checks, and now its enabled by default on all models? Or am I getting it wrong? Thanx, -D
or cancel

gregf Sun Apr 19 18:03:26 -0700 2009 | link

Hmm I'm using authlogic as well. I just have xss_terminate in my user model and everything works great. Also, unless I miss understood you, :only is supported. For example.

xss_terminate :only => [:login, :password]

Comment
Hmm I'm using authlogic as well. I just have xss_terminate in my user model and everything works great. Also, unless I miss understood you, :only is supported. For example. xss_terminate :only => [:login, :password]
or cancel
dejanstrbac Sun Apr 19 18:12:39 -0700 2009 | link
nope, still the same, :only is ignored..but are you sure this is the same version here that you are using? I do not see :only in this

write_inheritable_attribute(:xss_terminate_options, { :except => (options[:except] || []), :html5lib_sanitize => (options[:html5lib_sanitize] || []), :sanitize => (options[:sanitize] || []) })

thanks for the time
Comment
nope, still the same, :only is ignored..but are you sure this is the same version here that you are using? I do not see :only in this write_inheritable_attribute(:xss_terminate_options, { :except => (options[:except] || []), :html5lib_sanitize => (options[:html5lib_sanitize] || []), :sanitize => (options[:sanitize] || []) }) thanks for the time
or cancel
gregf Sun Apr 19 18:28:06 -0700 2009 | link

Sorry maybe I was thinking of except...

Comment
Sorry maybe I was thinking of except...
or cancel

Parsed with GitHub Flavored Markdown

Labels

look / xss_terminate

Pledgie Donations

xss_terminate get's applied to AR::Base, not the concrete models

Comments

The server locks down at model.save

Comments