Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Avoid usage of html_safe #305

Merged
merged 4 commits into from
May 11, 2018
Merged

Avoid usage of html_safe #305

merged 4 commits into from
May 11, 2018

Conversation

tijmenb
Copy link
Contributor

@tijmenb tijmenb commented May 11, 2018

This is a follow up to an incident last month where we found a XSS vulnerability caused by html_safe being called on untrusted user input (see alphagov/finder-frontend#480 and follow ups).

To avoid recurrence, this PR makes sure that 1) we're never calling html_safe so that everything is escaped by default, 2) we can't use it anymore. This makes escaping and calling html_safe the exclusive responsibility of the application.

See the individual commits for details.

@tijmenb tijmenb temporarily deployed to govuk-publishing-compon-pr-305 May 11, 2018 06:46 Inactive
sihugh
sihugh reviewed May 11, 2018
View reviewed changes
spec/components/all_components_spec.rb
it "doesn't use `html_safe`" do
files_with_html_safe = `grep -rni "html_safe" app/views/govuk_publishing_components/components`.lines

expect(files_with_html_safe).to be_empty
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

sihugh
sihugh requested changes May 11, 2018
View reviewed changes
Copy link
Contributor

@sihugh sihugh left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs a rebase to resolve the conflict in CHANGELOG.md. If you're doing that, could you fix the link to http://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html in the commit message for the to_sentence view helper? It's wrapped over two lines and confused me for a second when I followed it and it didn't work.

Looks great otherwise 👍

@NickColley NickColley mentioned this pull request May 11, 2018
Closed
@tijmenb
Use to_sentence view helper to avoid html_safe
96db38e 
The `to_sentence` helper knows about safe and unsafe HTML and will
escape the unsafe input and not safe input like `hidden_links`.

See:

http://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-to_sentence
@tijmenb
Safely concatenate text & context in step by step to avoid html_safe
125f6fc 
Read more about concat:

https://thepugautomatic.com/2013/06/helpers/
@tijmenb
Remove html_safe from buttons
3cdf3a6 
This means the application will have to call `html_safe` on the thing
itself. This seems to only be used by the `frontend` application.
@tijmenb
Add test against using html_safe
72c089e 
Now that we've removed all `html_safe` from the components we can add a
test to make sure we don't add it back.
@tijmenb tijmenb merged commit 76c2aa7 into master May 11, 2018
@tijmenb tijmenb deleted the no-html-safe branch May 11, 2018 10:10
@andysellick andysellick mentioned this pull request May 15, 2018
Merged
NickColley added a commit that referenced this pull request Jul 31, 2018
@NickColley
Add guidance for how to pass HTML to components
9f58989 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
@NickColley NickColley mentioned this pull request Jul 31, 2018
Merged
NickColley added a commit that referenced this pull request Jul 31, 2018
@NickColley
Add guidance for how to pass HTML to components
bde6110 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
@NickColley
Add guidance for how to pass HTML to components
241e94b 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
@NickColley
Add guidance for how to pass HTML to components
8be0811 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
@NickColley
Add guidance for how to pass HTML to components
0eacdc7 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Aug 1, 2018
@NickColley
Add guidance for how to pass HTML to components
a1b7303 
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sihugh sihugh sihugh approved these changes

@thomasleese thomasleese thomasleese approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@tijmenb @thomasleese @sihugh