Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Ruby on Rails Plugin that automatically wraps html_escape() around ActiveRecord attribute methods associated with string and text fields in the database.

branch: master

Fetching latest commit…

Octocat-spinner-32-eaf2f5

Cannot retrieve the latest commit at this time

Octocat-spinner-32 lib
Octocat-spinner-32 test
Octocat-spinner-32 MIT-LICENSE
Octocat-spinner-32 README
Octocat-spinner-32 Rakefile
Octocat-spinner-32 init.rb
README
= Cross Site Sniper (XSS)

Cross Site Sniper is a Ruby on Rails Plugin that automatically wraps html_escape() around 
ActiveRecord attribute methods associated with string and text fields in the
database.  This provides a convenient and DRY method to protect a Rails site from Cross
Site Scripting (XSS) attacks from malicious users.

Data used to pre-populate form fields is *not* auto escaped, allowing for user friendly
legitimate uses of normally escaped characters and painless integration into 
existing Rails applications without modifying forms or controllers.

You will probably want to remove any calls to h() in helpers and views, otherwise fields
will be double escaped. This will only be of concern however in cases of legitimate uses of
escaped characters, where, for instance, users may actually see '&' displayed on a webpage
instead of an expected '&'.

See the html_escape[link:classes/ActiveRecord/CrossSiteSniperExtensions/ClassMethods.html#M000001] method to fine tune which fields to automatically escape.

== Example

=== Before Cross Site Sniper

* @user.first_name  => "Haxor<script>alert('Gotcha!')</script>"

=== After Cross Site Sniper

Attribute Methods are Automatically Escaped
* @user.first_name => "Haxor&lt;script&gt;alert('Gotcha!')&lt;/script&gt;"

Two convenient ways to get at the unescaped data when needed.
* @user.first_name_without_html_escaping => "HaXor<script>alert('Gotcha!')</script>"
* @quiz[:question] => "True or False, 5/8 < 3/5?"

By not escaping data accessed via the hash method (eg. @quiz[:question]), forms
prepopulate with the *unescaped* data, allowing user friendly legitimate uses of
usually escaped characters. 

Cross Site Sniper also supports calling <method_name>_without_html_escaping on
non-column methods to temporarily disable html escaping for that method call.
(eg. @person.some_computed_value_without_html_escaping)
== Installation

  script/plugin install git://github.com/wwidea/cross_site_sniper.git

== Copyright

Copyright (c) 2008 World Wide IDEA, Inc., released under the MIT license. [ http://www.wwidea.org ]
Something went wrong with that request. Please try again.