There has been a discussion about whether to untaint or not. A string becomes tainted in Ruby when it comes from an external source, for example. The standard Ruby method untaint marks it as untainted. Plugins such as SafeErb do not allow the programmer to output tainted strings (in Erb) in order to protect the […]
Tags: Rails · Uncategorized · XSS and Rails
There is another security release which addresses once again the to_json vulnerability. It now has a CVE. If you used to_json in a page you generate:
<script type="text/javascript"> var customers = <%= @customers.to_json %>; </script>
you should upgrade to 1.2.5. Besides it fixes some bugs from 1.2.4.
Bookmark to
Tags: Uncategorized · XSS and Rails
The release of Ruby on Rails 1.2.4 addresses some potential security issues, all users of earlier versions are advised to upgrade to 1.2.4.
The following issues have been addressed:
URL-based sessions are no longer enabled by default, as it allowed users to provide their session_id in the URL as well as cookies. The functionality could be […]
Tags: Rails · XSS and Rails
The Rails 2.0 Preview Release is available now, which is great news. The announcement includes a paragraph on security:
"we now ship we a built-in mechanism for dealing with CRSF attacks", yes it works fine
"The old TextHelper#sanitize method has gone from a black list (very hard to keep secure) approach to a white list approach." Very […]
Tags: Rails · XSS and Rails
