This is Rails' sanitize method:
sanitize(html)
Sanitizes the html by converting <form> and <script> tags into regular text, and removing all "onxxx" attributes (so that arbitrary Javascript cannot be executed). It also removes xhref= and xsrc= attributes that start with "javascript:".
This is a blacklist method which removes potential harmful JavaScript. As I said before, blacklist filter are never complete and filter only the most basic cross-site scripting attacks, there will always be special code which works fine in some browsers, even though you have used a filter. Examples are here, here and here (list != infinite). Here are some other examples that pass through sanitize and execute in IE (mostly v6) or Firefox:
- <IMG _src="javascript:alert(String.fromCharCode(88,83,83));">
- <DIV STYLE="background-image: url(javascript:alert(1))">
- <div style="width: expression(alert(1))">hello</div>
- <INPUT TYPE="IMAGE" _src="javascript:alert(1);">
I will not post these examples as a ticket, because I think fixing a blacklist is rather useless. As DHH said in one of the tickets, sanitize in that form is kind of deprecated, a whitelist filter is definitely better. I recommend not to use sanitize until it is being converted to a whitelist filter.
This is RSnake's famous XSS Cheat Sheet.
