« Rails 1.2.4 Maintenance release, security | Main | Plugins merged and Ruby’s Net::HTTPS »
Monday
Oct012007

ActionPack: Security

The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:

  • "we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
  • "The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very good news. This is in fact the white_list plugin which has been merged. A test with my private XSS list worked fine. It even has an easier way to allow tags directly in the method:
    sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
  • "Finally, we’ve added support for HTTP only cookies. They are not yet supported by all browsers, but you can use them where they are." Http only cookies can be used from IE v6.SP1 and recently Firefox v2.0.0.5. Http only cookies cannot be accessed by document.cookie anymore. However, you have to keep in mind that there are other ways to get the cookie. But still, it shuts down the most obvious way of getting at the cookies.

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (6)

[...] ActionPack: Security [...]

October 13, 2007 | Unregistered CommenterAdroz

It is "CSRF" and not "CRSF"

February 16, 2009 | Unregistered Commenterkaratedog

The modern watches iwc comes housed in a black plastic case with stainless steel lugs at each side. The black wristband is nicely crafted from leather

August 25, 2010 | Unregistered CommenterEunice J. Garner

Solar Power Charger has been in the the success of different ways one of many scientists. Then, the designer come in? In fact, they come to their different ideas on how to innovate. Moreover, these articles and tools variety show with different options and choices.

August 31, 2010 | Unregistered Commenterjing

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>