diff --git a/guides/source/security.md b/guides/source/security.md index 4cd20fad4c0cf..fb3c1b67db845 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -661,7 +661,8 @@ SELECT * FROM projects WHERE (name = '') UNION The result won't be a list of projects (because there is no project with an empty name), but a list of usernames and their password. So hopefully you [securely hashed the passwords](#user-management) in the database! The only problem for the attacker is, that the number of columns has to be the same in both queries. That's why the second query includes a list of ones (1), which will be always the value 1, in order to match the number of columns in the first query. -Also, the second query renames some columns with the AS statement so that the web application displays the values from the user table. Be sure to update your Rails [to at least 2.1.1](https://rorsecurity.info/journal/2008/09/08/sql-injection-issue-in-limit-and-offset-parameter.html). +Also, the second query renames some columns with the AS statement so that the +Web application displays the values from the user table. #### Countermeasures @@ -865,7 +866,8 @@ This example, again, showed that a restricted list filter is never complete. How If you want to provide text formatting other than HTML (due to security), use a mark-up language which is converted to HTML on the server-side. [RedCloth](https://github.com/jgarber/redcloth) is such a language for Ruby, but without precautions, it is also vulnerable to XSS. -For example, RedCloth translates `_test_` to `test`, which makes the text italic. However, up to the current version 3.0.4, it is still vulnerable to XSS. Get the [all-new version 4](https://github.com/jgarber/redcloth) that removed serious bugs. However, even that version has [some security bugs](https://rorsecurity.info/journal/2008/10/13/new-redcloth-security.html), so the countermeasures still apply. Here is an example for version 3.0.4: +For example, RedCloth translates `_test_` to `test`, which makes the +text italic. However, RedCloth doesn’t filter unsafe html tags by default: ```ruby RedCloth.new('').to_html