« OpenID security issues | Main | Don’t use strip_tags, strip_links and sanitize »
Monday
Aug202007

RedCloth security thoughts

DateMonday, August 20, 2007 at 12:51PM

Often times RedCloth is used to prevent Cross Site Scripting, because it uses a markup other than HTML to format text. "RedCloth is a module for using Textile in Ruby. Textile is a text format. A very simple text format. Another stab at making readable text that can be converted to HTML." For example *a phrase* becomes a phrase in RedCloth. However, there are a few things you have to know:

Note: the original attributes href and src were replaced by the blog software with xhref and xsrc in the following.

Using RedCloth without any options is still vulnerable to XSS:

>> RedCloth.new('<script>alert(1)</script>').to_html
=> "<script>alert(1)</script>"

Use the :filter_html option to remove or escape HTML which wasn’t created by the Textile processor:

>> RedCloth.new('<script>alert(1)</script>', [:filter_html]).to_html
=> "alert(1)"

However, this does not filter all HTML, a few tags will be left, for example <a>:

>> RedCloth.new("<a xhref='javascript:alert(1)'>hello</a>", [:filter_html]).to_html=> "<p><a _href=\"javascript:alert(1)\">hello</a></p>"

According to the source code, the image tag (<img xsrc="">) is allowed, as well, which should allow attacks like these:

<IMG xsrc=javascript:alert('XSS')> 

However, my setup (version 3.0.4) gives me errors when passing image tags. I recommend to use a combination of RedCloth and the good old white_list filter, as in:

>> RedCloth.new('"ha":javascript:alert(1);').to_html
=> "<p><a xhref=\"javascript:alert(1);\">ha</a></p>"

>> white_list(RedCloth.new('"ha":javascript:alert(1);').to_html)
=> "<p><a>ha</a></p>"

As you can see, the Textile syntax allows you to create JavaScript links, as well. And if you think a JavaScript link looks suspicious to the users you can hide links in the data: protocol, as in Thou art so tolerant.

Another attack vector could be built with the Textile ability to include CSS. As described earlier, an attacker may deface your site and display his own elements (links, buttons, maybe login forms) on top of your original ones and lure the victim on one of his pages:

>> RedCloth.new('p{position:absolute; top:50px; left:10px; width:150px; height:150px}. Spacey blue').to_html
=> "<p style=\"position:absolute; top:50px; left:10px; width:150px; height:150px;\">Spacey blue</p>"

>> RedCloth.new('p{position:absolute; top:50px; left:10px; width:150px; height:150px}. No spacey blue', [:filter_styles]).to_html
=> "<p>No spacey blue</p>"

So a good combination of RedCloth and the WhiteListHelper should be a secure solution.

AuthorHeiko | Comment182 Comments | Reference4 References |

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (4)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
    Response: Yaki human hair extensions
    by Deman at Deman on October 18, 2009
    Hi. If you believe the doctors, nothing is wholesome; if you believe the theologians, nothing is innocent; if you believe the military, nothing is safe.I am from Japan and now study English, give true I wrote the following sentence: "Special love lining 1 and anastomosis secretary has been domesticated to human ...
  • Response
    Response: About human hair extensions
    by Gitana at Gitana on October 18, 2009
    Good evening. Obscurity is a good thing. You can fail in obscurity. It removes the fear of failure.I am from Morocco and learning to write in English, give true I wrote the following sentence: "In 2009 another language-specific death back, working a yolk of promises from members and the third nigger, ...
  • Response
    Response: auto loans quotes
    by Rutha at Rutha on November 6, 2009
    Hello. Music with dinner is an insult both to the cook and the violinist. Help me! Could you help me find sites on the: auto loans quotes. I found only this - http://www.steger.org.ua/Members/Taxattorney/tax-attorney-everett. Owing to their newest milk trial, the irs is sending packages that october 20-year is the certain party ...
  • Response
    Response: Casino royale music free download
    by Kenisha at Kenisha on December 6, 2009
    Good Day. My father hated radio and could not wait for television to be invented so he could hate that too. Help me! I can not find sites on the: Casino royale music free download. I found only this - http://www.portlandurbanpages.com/Members/CasinoRoyale/the-real-casino-royal. They arrive that the color is reinforced atop a enough ...

Reader Comments (182)

Implemented this exact same solution the other day (except with SuperRedCloth). I tried Sam Ruby's port of the html5lib sanitizer first but it seemed quite slow. That is perhaps a more rigorous solution though.

August 20, 2007 | Unregistered Commenterevan

Uh, I just use textilize ... ?

August 24, 2007 | Unregistered CommenterMike

textilize() is nearly the same as RedCloth.new(...).to_html, it calls RedCloth in the back-end. So RedCloth needs to installed.

August 24, 2007 | Unregistered CommenterHeiko

Hey All ! ! !
The information is particularly important to men, who torn third dozen,
it's the age when most men are early signs of prostate and prostate adenoma.
Disease prevention is better than cure later.
Visit .
And let's health will be many years with you!

August 24, 2007 | Unregistered CommenterAibolit

I want to add, that it is possible to use javascript in css. Internet Explorer allows for like:

I didn't play around with it any more than this, but it could be perfectly possible to call functions that are defined within the page (just think about all the XHR stuff and the javascript libraries all over the place in every HTML file nowadays) with some parameters. I think there are some uses, you better don't want your page to do unexpectedly. ;)

Another thing is, that IE5+ (but also (older?) Opera) lets you use javascript in css like this:

The above works in IE and results in blanking out your HTML page and writing 'foobar' on it. Opera9 doesn't do it. I don't have an older version to test atm.
The following code does the obvious:

Displaying an alert to the user in IE. I think, that there are some (somewhat limited) possibilities in this. Especially as you can use every javascript class/method and variables etc that are defined in the page. Pretty scary imho if you let users write HTML that is redisplayed to them and others users of your application. ;)

August 24, 2007 | Unregistered Commentergraste

Hey All ! ! !
Want to spend your vacation to be remembered for long?
...
help you carry out your wishes !

August 30, 2007 | Unregistered CommenterAlextoss

Hello! ! ...
How to select a gift for this man? ...
This issue will not concern you! ...
Information on this here ... !

September 3, 2007 | Unregistered CommenterRamzesus

[url=http://awkwardamateurs.741.com/index.html]asian amateur pages free pic[/url]

September 23, 2007 | Unregistered Commentermega

[url=http://daily.inter.by]belorussian spamers![/url]

September 26, 2007 | Unregistered Commenterinter

[url=http://seattleamateur.741.com/index.html]amateur one slut[/url]

September 26, 2007 | Unregistered Commenterinc911

[url=http://securityamateur.741.com/index.html]amateur nest annette[/url]

September 26, 2007 | Unregistered Commenteradsense2007

Gear up for grub with a tripleheader of pigskin, including a meeting of brothers in Dallas. Everybody knows it's been a rough year for her, but find out who else had issues

November 25, 2007 | Unregistered CommenterJessica

Contrary to popular belief, the end of the year is one of the best times to look for, awesome descion

December 10, 2007 | Unregistered Commentersasha brinkova

best cavity!ax fortifying Dublin used sports car auto insurance quote [url=http://www.webfir.com/02614.html]used sports car auto insurance quote[/url] http://www.webfir.com/02614.html ...

December 11, 2007 | Unregistered Commenterblythe california car insuranc

lifetimes Allah girlfriend ...

December 11, 2007 | Unregistered Commenterhyundai accent 1 3 lsi insuran

The site is selling cheap (mesos,money) in maple story.we sell maple story money and maple story item in maple story only,not ms ... Delivery time less than 10 Mins. We will never use hacks tool to make the .
.

December 27, 2007 | Unregistered CommenterMaple Story Mesos

Buy ,cheap ffxi gil,cheapest ffxi gil,Final Fantasy XI Gil sale.We provide cheap eve online isk to reliable customer.Cheap for sale,lowest price gold for wow,as low as $19/1000 Gold., EVE ISK, Buy eve online isk, Cheap eve online isk.Buy world of warcraft gold here.EVE Online ISK, , Buy EVE ISK, Cheap EVE ISK. We provide cheap EVE ISK to reliable customer. Lineage 2 Adena () is the most valuable form of currency in Lineage 2(L2 Adena). we supply cheap ,eq2 platinum and eq2 gold,everquest 2 plat,so you buy cheap eq2 gold,eq2 accounts.

January 15, 2008 | Unregistered Commenterffxi gil

aewdsa saf wefrasf adsf sdaf

January 28, 2008 | Unregistered CommenterJessica

There is no happiness like that of being loved by your these returning vnhxtrrpczayd was very pleasant or desirable no magnet drew me.

January 30, 2008 | Unregistered CommenterRebecca98

diagrams sheaths container:...

May 23, 2008 | Unregistered Commenteronline poker games
Page 1 2 3 4 5 ... 10 Next 20 Comments Most Recent Comment »

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>

Notify me of follow-up comments via email.