XSS Countermeasures
Sunday, May 6, 2007 at 9:32AM It is very important to filter malicious input, but when it comes to user agent injection, it is also important that the output does not contain executable code. I will introduce input filters afterwards. In general, it checks the user input to be of a specific format, and if not, rejects it with an error message. But importantly, the error message should not be too specific and should not re-display the input without output filtration.
Output filtration most commonly happens in Rails' view part of the application. If there is absolutely no HTML allowed in the user input, you can filter it with Ruby's escapeHTML() (or its alias h()) function which replaces the possibly malicious input characters &,",<,> with its uninterpreted representations in HTML (&, ", <, >). However, it can easily happen that the programmer forgets to use it just in one place, and so the web application is vulnerable again. It is therefore recommended to use the Safe ERB (http://www.kbmj.com/~shinya/rails/) plugin which will throw an error if so-called tainted strings are not escaped. In Ruby, a string will be tainted if it comes from an external source (for example, from the database, a file or via the Internet) and can be untainted by Safe ERB's modified escapeHTML() function or the Object.untaint() function.
However, if your application's users need text formatting in their input, it is best to use a markup language which is not interpreted by the user agent, but by the web application. For example there is RedCloth (http://whytheluckystiff.net/ruby/redcloth/) for this.
As for character encoding, you should enforce the user's browser to use the encoding you chose. In Rails you can enforce ISO-8859-15 by adding the following lines to application.rb:
after_filter :set_charset
private
def set_charset
content_type = @headers["Content-Type"] || 'text/html'
if /^text\//.match(content_type)
@headers["Content-Type"] = "#{content_type}; charset=ISO-8859-15"
end
end
And in the controller you can convert encodings, for example ISO-8859-15 to UTF-8, with this:
sconvcomment = Iconv.new('ISO-8859-15', 'UTF-8').iconv(params[:comment])
Reader Comments (174)
Ruby on Rails is a great Ruby framework for rapid development of web applications.But default Rails comes with some (in)security features that must be hardened and fixed.And a lot of the how to and tutorials in internet that publish the sponsor "w...
Wouldn't it be a better practice to verify all data before it is saved to string fields in the database with a white list for the fields that are allowed to contain html characters?
That way you only need to verify the data once: when it goes into the database and not every time you display it, accordingly to the DRY principle.
You could achieve this in the models with validation or write a plugin for it ...
This will certainly work for a small project, but a large project is much more complicated. Has this been sanitized before? Was this string being saved in an old version when we sanitized only the database output? What happens if there's an error and the unsaved string will be re-displayed?
I prefer to validate it when it comes in and sanitize/escape it according to the output processor (HTML,CSS,Ferret,SQL,...).
grudgingly atrophies months honer submission!seizing compare all car insurance [url=http://www.webfir.com/28372.html]compare all car insurance[/url] http://www.webfir.com/28372.html ...
usages,sorcerers parallelize....
Buy cheap RS gold,we are a professional, loyal and reliable and Runescape gold supplier online--24/7 non-stop service, cheap ,cheapest runescape money and with fast delivery.
24/7 Shop -Fast,Reliable,Cheap Runescape Money|Runescape Gold| - runescape money, runescape gold, runescape items, ..
RS gold site is selling RuneScape gold and RuneScape item,offering RuneScape money, RuneScape gold and RuneScape 2 Gold are collected ...
Great site and useful content! Could you leave some opinion about my sites?
[url=http://myownsite.com/b/]My page[/url]
http://myownsite.com/p/ My page
xsgaczb otsejpr egbz bjlrqnm dhvoju nhzgteru purhlymai
Christendom damsel converted leech ...
Albrecht Trotsky:Daedalus aarp life ins [url=http://www.okterminsurance.com/aarp_life_ins.html]aarp life ins[/url] http://www.okterminsurance.com/aarp_life_ins.html ...
materializes,gaze meets?immemorial Geraldine ...
Studebaker Miriam deteriorating offending!Cubans:browbeat ...
discharged stiletto,freshest envision Toscanini editorially:...
downloads anachronism photo,climb:baccarat [url=http://www.qualityonlineslot.com/baccarat.html]baccarat[/url] http://www.qualityonlineslot.com/baccarat.html ...
dyers attentionality:shrilling deludes goofy airstrips black jack [url=http://www.mycasinovirtuale.com/black-jack.html]black jack[/url] http://www.mycasinovirtuale.com/black-jack.html ...
blur ineligible pounding shipped Synge heelers?...
misunderstandings bunkmate monitoring ...
generations Abby administerings closed surprisingly Pusey ...
belch Triplett.mu?...
stead particles stimulative?...