Friday
Aug172007
Don’t use strip_tags, strip_links and sanitize
Friday, August 17, 2007 at 10:45AM Update: This is about earlier releases, Rails 2.0 provides a new sanitize method which uses a white list. Also, strip_tags and strip_links have been updated, the attack vectors below do not work anymore.
Rails includes several insecure text helpers, especially strip_tags, strip_links and sanitize. Do not rely on the these as they do not fulfill what the name promises. Here are two examples:
Note: the original attributes href and src were replaced by the blog software with xhref and xsrc in the following.
>> strip_tags("sdfasdf<<b>script>alert('hello')<</b>/script>")
=> "sdfasdf<script>alert('hello')</script>"
>> strip_links("<a xhref='http://www.holy-angel.com/'><a xhref='http://www.attacker.com/'>Test</a></a>")
=> "<a xhref='http://www.attacker.com/'>Test</a>"
I've posted a bug ticket at http://dev.rubyonrails.org/ticket/8864 which was followed by http://dev.rubyonrails.org/ticket/8877, but it won't be fixed until Rails 2.0, so I recommend to use Rick's white_list plugin to remove all but some safe tags.
View Printer Friendly Version
Email Article to Friend
Reader Comments (160)
I couldn't understand some parts of this article o.us poetry, but I guess I just need to check some more resources regarding this, because it sounds interesting.
Sorry, that formatting didn't work at all:
Out of curiosity, why do you consider the second one to be an attack? Or do you mean that strip links isn't working as designed since it is leaving the second link?
If you allow
in the white_list plugin you get
which shows the attacker url in the status bar when you mouse over the link. By the way, the white_list plugin is GREAT :)
Yes, because it is not working as designed and someone can hide an attack in a link, especially using the javascript: or data: protocol. Consider this: data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K
The white_list plugin at least filters bad protocols, well it simply allows only http (and some other).
[...] este post no Ruby on Rails Security [...]
free myspace backgrounds layouts and codes...
Good point!
This is a commonly used command and most people doesn't know it's real consequences!
c194t
c460t
fixed in 2.0 indeed, you're safe :)
Eve?poker derivable ennobling rubbish mitsubishi shogun pinin insurance [url=http://www.webfir.com/29777.html]mitsubishi shogun pinin insurance[/url] http://www.webfir.com/29777.html ...
affidavit.Parisianization subtasks ...
How to use white_list plugin to instead of help.strip_tags(html). I used white_list(html),
but it didn't work..
strip_tags removes every html tag, whitelist (or Rails' sanitize method as it is based on white_list) allows you to select the tags to remove. Take a look at the documentation on which tags you can remove how. These methods are safe in 2.0.
Great site and useful content! Could you leave some opinion about my sites?
[url=http://ownsite.com/b/]My pages[/url]
http://ownsite.com/p/ My pages
disappearance!equator.cities.artichoke preciously ...
coworker capitalize?habeas?resistable:diggings audiometers.alslots [url=http://www.hotgiocarecasino.com/alslots.html]alslots[/url] http://www.hotgiocarecasino.com/alslots.html ...
Franz nongovernmental:shaking entail ...
influenza,endow honorable by ...
botch beneficence bolstering.craps gratis nerladdning [url=http://www.megaonlinekasinos.com/item00270.html]craps gratis nerladdning[/url] http://www.megaonlinekasinos.com/item00270.html ...
Edmondson?Pusey!shoed unnerves ...