This repository is private.
All pages are served over SSL and all pushing and pulling is done over SSH.
No one may fork, clone, or view it unless they are added as a member.
Every repository with this icon (
) is private.
Every repository with this icon (
) is private.
This repository is public.
Anyone may fork, clone, or view it.
Every repository with this icon () is public.
Every repository with this icon (
) is public.
commit abe6bd2c491ac2b3e35d97c0fb205f5e83868403
tree 2f6950cf9cb911c3a0366752e6a6694397e84b03
parent 0791bd6cc2eb0ebe5a4077b0dac503f23c2a1a31
tree 2f6950cf9cb911c3a0366752e6a6694397e84b03
parent 0791bd6cc2eb0ebe5a4077b0dac503f23c2a1a31
| name | age | message | |
|---|---|---|---|
 |
MIT-LICENSE | Tue Jan 29 08:22:58 -0800 2008 | |
| |
README | Tue Feb 17 21:08:36 -0800 2009 | |
| |
Rakefile | Wed Jan 30 09:13:35 -0800 2008 | |
| |
init.rb | Wed Jan 30 14:17:04 -0800 2008 | |
 |
lib/ | Tue Feb 17 21:05:45 -0800 2009 | |
| |
test/ | Tue Feb 17 21:05:45 -0800 2009 |
README
= Cross Site Sniper (XSS)
Cross Site Sniper is a Ruby on Rails Plugin that automatically wraps html_escape() around
ActiveRecord attribute methods associated with string and text fields in the
database. This provides a convenient and DRY method to protect a Rails site from Cross
Site Scripting (XSS) attacks from malicious users.
Data used to pre-populate form fields is *not* auto escaped, allowing for user friendly
legitimate uses of normally escaped characters and painless integration into
existing Rails applications without modifying forms or controllers.
You will probably want to remove any calls to h() in helpers and views, otherwise fields
will be double escaped. This will only be of concern however in cases of legitimate uses of
escaped characters, where, for instance, users may actually see '&' displayed on a webpage
instead of an expected '&'.
See the html_escape[link:classes/ActiveRecord/CrossSiteSniperExtensions/ClassMethods.html#M000001] method to fine tune
which fields to automatically escape.
== Example
=== Before Cross Site Sniper
* @user.first_name => "Haxor<script>alert('Gotcha!')</script>"
=== After Cross Site Sniper
Attribute Methods are Automatically Escaped
* @user.first_name => "Haxor<script>alert('Gotcha!')</script>"
Two convenient ways to get at the unescaped data when needed.
* @user.first_name_without_html_escaping => "HaXor<script>alert('Gotcha!')</script>"
* @quiz[:question] => "True or False, 5/8 < 3/5?"
By not escaping data accessed via the hash method (eg. @quiz[:question]), forms
prepopulate with the *unescaped* data, allowing user friendly legitimate uses of
usually escaped characters.
Cross Site Sniper also supports calling <method_name>_without_html_escaping on
non-column methods to temporarily disable html escaping for that method call.
(eg. @person.some_computed_value_without_html_escaping)
== Installation
script/plugin install git://github.com/wwidea/cross_site_sniper.git
== Copyright
Copyright (c) 2008 World Wide IDEA, Inc., released under the MIT license. [ http://www.wwidea.org ]