Welcome

The Ruby on Rails Security Project would like to help you make your Rails applications more secure. I'm Heiko Webers of bauland42 and I also do Rails security audits. You read the official Rails Security Guide? Great, so we know each other already, I wrote it. Contact me at 42 -the AT sign- bauland42.de or on Twitter.

Do you have a Rails security strategy?
Here's the new complete Rails guide to developing an overall security strategy. If you sign up today, I’ll give it to you for free.

Search
Feeds / Syndication
Most Popular
This site is currently being updated to be more useful, enter your email to be notified

« Header Injection And Response Splitting | Main | The updated Rails Security Guide »
Monday
Oct132008

New RedCloth security

RedCloth is a module for using Textile in Ruby. Textile is a simple text format that can be converted to HTML, eliminating the need to use HTML directly to create documents, blogs, or web pages.

The new version 4 promises to be faster and without the bugs from version 3. And indeed it feels more reliable and many of the earlier security concers have now been dealt with. For example:

RedCloth.new("<script>alert(1)</script>").to_html

now returns

&lt;script&gt;alert(1)&lt;/script&gt;

instead of

<script>alert(1)</script>

in earlier versions. And it's good that it escapes the input instead of deleting malicious parts. I tried many examples from the XSS cheatsheet and hand-crafted ones. The result is that nearly no malicious parts get through. Yes nearly.

The <code> tag gets through:

RedCloth.new('<code onmouseover="bad_code_here">asdf</code>', [:filter_html]).to_html
<code onmouseover="bad_code_here">asdf</code>

I've created a ticket for that.

 

Also remember that CSS injection will work in textile, if you allow styles. See the earlier post for that.

Nevertheless the new version is far better. And in combination with a whitelist (namely Rails' sanitize() method) it is even secure.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (170)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
  • Response
  • Response
  • Response
    I acquire an app that benefits cloth to style dispatchs. I am arduous to clench up the defense further sole empower HTML produced through fabric markup. So I enabled filter_html choice as each red cloth docs.
  • Response
    Response: red more
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Perception of security may be crudely mapped to measureable target security. For instance, the dread of quakes has been accounted for to be more regular than the trepidation of slipping on the restroom floor despite the fact that the last slaughters a lot of people more individuals than the previous.
  • Response
    Response: utah seo firm
    Perception of security may be poorly mapped to measureable objective security. For example, the fear of earthquakes has been reported to be more common than the fear of slipping on the bathroom floor although the latter kills many more people than the former.
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: kidsbox365.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: go to my site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: lkbenson.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    I am so much like your services. These are helpful to my new life. Those are all using by many students also. And they were getting good knowledge from your services. Thank you for providing these essay services here.
  • Response
    Response: roie
  • Response
    Response: fortune.com
    sdfs
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook votes
  • Response
    Response: related web-site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Ali
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: m&S discount code
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: sarasota seo
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Goji Vita review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: shoes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Windowing
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Alasdair
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Full Guide
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: happy diwali
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: trackback
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Harm Peace
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Rank1stSEO
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: imperial advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: oświetlenie
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: breaking news
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: breaking news
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: led
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: play games online
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: cheap escorts
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Phil St Ores
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Imperial Advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: hosting guide
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brian Poe
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arabela
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: wideofilmowanie
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: arthur falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Imperial Advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: bhph note buyers
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arung Jeram Bogor
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: water purification
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: water purification
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nicholas Alsis
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Derma Nova
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: visit site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Juveliere
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook likes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook likes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nicholas Alsis
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Puravol Review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Active Cleanse
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: No2 Factor Reviews
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: No2 Factor Reviews
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Metro Redux
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: suresh babu gaddam
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: passer a windows 7
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: eremax
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Maximum Shred
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Maximum Shred
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: pulau pari murah
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: pulau pari murah
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Luma Hydrate
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Ebon Talifarro
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: bus
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Laura Glading APFA
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: testez moi
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: testez moi
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: unlock iphone 4S
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: usingpeople
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brandon Colker
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brandon Colker
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brandon Colker
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: splendyr Review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Next Styles
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nutra Skin
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Keir Majarrez
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: raumduft dm test
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: raumduft dm test
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: dinero rapido
    New RedCloth security
  • Response
    Response: Eczema Skin Care
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Jared Londry
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: shoulder exercises
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: chest workouts
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Jeff Halevy
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Jeff Halevy
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nulexa
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: David Drwencke
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Cufflinks
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: leeds plumber
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: coleanse Review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: norway escort
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: escort shanghai
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Wanny
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>