As many Rails projects use the OpenID service to authenticate its users, I want to bring some of its security issues to your attention which were announced recently. Gareth Heyes found a cross-site request forgery attack vector with MyOpenID, one of the bigger OpenID providers. MyOpenID reacted promptly, but other providers have the same problem. […]
Tags: General
Often times RedCloth is used to prevent Cross Site Scripting, because it uses a markup other than HTML to format text. "RedCloth is a module for using Textile in Ruby. Textile is a text format. A very simple text format. Another stab at making readable text that can be converted to HTML." For example *a […]
Tags: XSS and Rails
Update: This is about earlier releases, Rails 2.0 provides a new sanitize method which uses a white list. Also, strip_tags and strip_links have been updated, the attack vectors below do not work anymore.
Rails includes several insecure text helpers, especially strip_tags, strip_links and sanitize. Do not rely on the these as they do not fulfill what […]
Tags: XSS and Rails
