Skip to content

Commit a83309d

Browse files
committed
Security: Escape strings where recommended by SafeERB
The SafeERB plugin attempts to automatically detect view code which fails to properly escape HTML. You can find information here: http://wiki.rubyonrails.com/rails/pages/Safe+ERB I'm using a version of SafeERB modified by Matthew Bass, which can be found on github: http://github.com/pelargir/safe_erb/tree/master My local copy is modified to avoid some false positives, and isn't ready for production use yet. But here's the first batch of changes it recommended. Note that some of these changes weren't really necessary-- some of the values we're wrapping can't actually contain HTML metacharacters, at least not in normal locales. Also note that SafeERB is only useful for the normal view code in places like /admin, and that it won't help us with Liquid plugins in the front end. But it's a start.
1 parent f9d3c10 commit a83309d

File tree

8 files changed

+22
-22
lines changed

8 files changed

+22
-22
lines changed

app/views/admin/articles/_page_nav.rhtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<div id="page-nav">
44
<ul id="act-nav" class="clear">
55
<% if controller.controller_name == 'comments' && controller.action_name == 'index' && @comments.size > 0 -%>
6-
<li><%= link_to_remote "Delete these #{@filter != 'all' ? @filter : ''} comments", :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?",
6+
<li><%= link_to_remote h("Delete these #{@filter != 'all' ? @filter : ''} comments"), :confirm => "Are you sure you wish to delete all #{@filter != 'all' ? @filter : ''} comments?",
77
:url => { :controller => 'comments', :action => 'destroy', :id => @article }, :with => "ArticleForm.getAvailableComments().toQueryString('comment')"
88
%></li>
99
<% end -%>
@@ -57,4 +57,4 @@
5757
<% end -%>
5858
</ul>
5959
</div>
60-
<% end unless @article && @article.new_record? && @article.comments.size == 0 -%>
60+
<% end unless @article && @article.new_record? && @article.comments.size == 0 -%>

app/views/admin/assets/index.rhtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@
5252
<h3>Some stats</h3>
5353
<p>
5454
You have a uploaded a total of <strong><%= pluralize site.assets.count, 'asset'%></strong>, using
55-
<strong><%= number_to_human_size site.assets.sum(:size) %></strong>.
55+
<strong><%=h number_to_human_size site.assets.sum(:size) %></strong>.
5656
</p>
5757
</div>
5858
<% end %>

app/views/admin/comments/index.rhtml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22

33
<h3 style="border-bottom:1px solid #ccc;padding:5px">
44
<% if @article -%>
5-
Comments on <%= link_to @article.title, edit_article_path(@article), :style => 'border:none' %> <span class="right"><%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : '&nbsp;' %></span>
5+
Comments on <%= link_to h(@article.title), edit_article_path(@article), :style => 'border:none' %> <span class="right"><%= @article.published? ? link_to(image_tag('/images/mephisto/icons/24-zoom-in.png', :style => 'vertical-align: middle'), @site.permalink_for(@article), :style => 'border:none;') : '&nbsp;' %></span>
66
<% else -%>
77
Comments for all articles
88
<% end -%>
@@ -22,7 +22,7 @@ Comments for all articles
2222
<blockquote><p>"<%= strip_tags(comment.body) %>"</p></blockquote>
2323
<% end -%>
2424
<span class="meta">
25-
<cite>&mdash; <%= author_link_for comment %><%= %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%= time_ago_in_words comment.created_at %> ago</cite>
25+
<cite>&mdash; <%= author_link_for comment %><%=h %( (#{comment.author_email})) unless comment.author_email.blank? %> said <%=h time_ago_in_words comment.created_at %> ago</cite>
2626

2727
<%= link_to_remote 'Edit', :url => edit_article_comment_path(comment.article, comment), :method => :get %> |
2828
<% if comment.approved? -%>

app/views/admin/design/_form.rhtml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,16 +1,16 @@
11
<div class="group">
22
<dl>
33
<dt>
4-
<%= label_tag :data, labels[:data] %>
4+
<%= label_tag :data, h(labels[:data]) %>
55
<p class="hint"><%= hint %></p>
66
</dt>
77
<dd><%= text_area_tag :data, h(attachment && attachment.file? ? attachment.read : params[:data]), :class => 'fat', :rows => 20 %></dd>
88
<% if controller.action_name == 'index' -%>
99
<dt>
10-
<%= label_tag :filename, labels[:filename] %>
10+
<%= label_tag :filename, h(labels[:filename]) %>
1111
<p class="hint">You can create one of three types of files: Liquid (*.liquid), CSS (*.css), and Javascript (*.js).</p>
1212
</dt>
1313
<dd><%= text_field_tag :filename, params[:filename] %></dd>
1414
<% end -%>
1515
</dl>
16-
</div>
16+
</div>

app/views/admin/design/_sidebar.rhtml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -4,18 +4,18 @@
44
*_layout suffix (e.g custom_layout).</p>
55
<ul id="attachments">
66
<% @theme.templates.template_types(@theme.extension).each do |template| -%>
7-
<li><%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %></li>
7+
<li><%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %></li>
88
<% end -%>
99
<% @theme.templates.custom(@theme.extension).each_with_index do |template, i| -%>
1010
<li id="templates-<%= i %>">
1111
<%= delete_link :templates, template, "templates-#{i}" %>
12-
<%= link_to template, url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
12+
<%= link_to h(template), url_for_theme(:controller => 'templates', :action => 'edit', :filename => template) %>
1313
</li>
1414
<% end -%>
1515
<% @theme.resources.reject { |r| @theme.resources.image?(r) }.each_with_index do |resource, i| -%>
1616
<li id="resources-<%= i %>">
1717
<%= delete_link :resources, resource.basename.to_s, "resources-#{i}" %>
18-
<%= link_to resource.basename, url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %>
18+
<%= link_to h(resource.basename), url_for_theme(:controller => 'resources', :action => 'edit', :filename => resource.basename) %>
1919
</li>
2020
<% end -%>
2121
</ul>
@@ -25,7 +25,7 @@
2525
<p>Select an image to use in your template.</p>
2626
<ul id="attachments">
2727
<% @theme.resources.select { |r| @theme.resources.image?(r) }.each_with_index do |image, i| -%>
28-
<li id="images-<%= i %>"><%= delete_link :resources, image.basename.to_s, "images-#{i}" %> <%= image.basename %> </li>
28+
<li id="images-<%= i %>"><%= delete_link :resources, h(image.basename.to_s), "images-#{i}" %> <%= h(image.basename) %> </li>
2929
<% end -%>
3030
</ul>
3131

app/views/admin/overview/index.rhtml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@
4949
<h3>Recent activity</h3>
5050
<ul class="slist" id="activity">
5151
<% @users.each do |user| -%>
52-
<li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%= distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
52+
<li style="clear:right;"><%= avatar_for user %><%= link_to who(user.login), :controller => 'users', :action => 'show', :id => user %><br /> showed up <%=h distance_of_time_in_words_to_now(user.updated_at) %> ago</li>
5353
<% end -%>
5454
</ul>
5555
</div>

app/views/admin/themes/_theme.rhtml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
1-
<li class="theme<%= ' current' if theme.current? %>" id="theme-<%= theme_counter %>">
1+
<li class="theme<%=h ' current' if theme.current? %>" id="theme-<%= theme_counter %>">
22
<h3>
3-
<span title="stored in /<%= theme.name %>"><%=h theme.title %></span>
3+
<span title="stored in /<%=h theme.name %>"><%=h theme.title %></span>
44
<span class="thememeta">
55
<% unless theme.version.blank? -%>v<%=h theme.version %> |<% end -%>
6-
by <%= theme.linked_author.blank? ? 'unknown' : theme.linked_author %>
6+
by <%=h theme.linked_author.blank? ? 'unknown' : theme.linked_author %>
77
</span>
88
</h3>
99
<a id="theme-dialog-<%= theme_counter %>" class="theme_dialog">
1010
<img src="<%= url_for(:controller => '/admin/themes', :action => 'preview_for', :id => theme) %>" alt="Theme preview" title="<%=h theme.title %> (v<%=h theme.version %>)" />
1111
</a>
12-
</li>
12+
</li>

app/views/layouts/application.rhtml

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
<html xmlns="http://www.w3.org/1999/xhtml">
44
<head>
55
<meta http-equiv="Content-type" content="text/html; charset=utf-8" />
6-
<title><%= site.title %>: Admin <%= controller.controller_name %></title>
6+
<title><%=h site.title %>: Admin <%=h controller.controller_name %></title>
77
<%= stylesheet_link_tag 'mephisto/mephisto' %>
88
<%= javascript_include_tag 'mephisto/prototype', 'mephisto/effects', 'mephisto/dragdrop', 'mephisto/lowpro', 'mephisto/application' %>
99
<script type="text/javascript">Mephisto.root = '<%= relative_url_root %>'; <%= init_mephisto_authenticity_token %></script>
@@ -36,7 +36,7 @@
3636
<li><%= link_to 'Articles', :controller => '/admin/articles' %></li>
3737
<li><%= link_to 'Assets', :controller => '/admin/assets' %></li>
3838
<% Mephisto::Plugin.tabs.each do |tab| -%>
39-
<li><%= link_to tab.first, tab.last %></li>
39+
<li><%= link_to h(tab.first), tab.last %></li>
4040
<% end -%>
4141
</ul>
4242
<% if admin? -%>
@@ -49,7 +49,7 @@
4949
<li><%= link_to 'Plugins', :controller => '/admin/plugins' %></li>
5050
<% end -%>
5151
<% Mephisto::Plugin.admin_tabs.each do |tab| -%>
52-
<li><%= link_to tab.first.to_s.tableize.humanize, tab.last %></li>
52+
<li><%= link_to h(tab.first.to_s.tableize.humanize), tab.last %></li>
5353
<% end -%>
5454
</ul>
5555
<% end -%>
@@ -80,8 +80,8 @@
8080
<!-- div.left -->
8181
<div id="main">
8282
<div id="flashes">
83-
<div id="flash-errors" style="display: none;"><%= flash[:error] %></div>
84-
<div id="flash-notice" style="display:none"><%= flash[:notice] %></div>
83+
<div id="flash-errors" style="display: none;"><%=h flash[:error] %></div>
84+
<div id="flash-notice" style="display:none"><%=h flash[:notice] %></div>
8585
</div>
8686
<!-- begin action nav -->
8787
<%= yield :action_nav %>

0 commit comments

Comments
 (0)