« Header Injection And Response Splitting | Main | The updated Rails Security Guide »
Monday
Oct132008

New RedCloth security

RedCloth is a module for using Textile in Ruby. Textile is a simple text format that can be converted to HTML, eliminating the need to use HTML directly to create documents, blogs, or web pages.

The new version 4 promises to be faster and without the bugs from version 3. And indeed it feels more reliable and many of the earlier security concers have now been dealt with. For example:

RedCloth.new("<script>alert(1)</script>").to_html

now returns

&lt;script&gt;alert(1)&lt;/script&gt;

instead of

<script>alert(1)</script>

in earlier versions. And it's good that it escapes the input instead of deleting malicious parts. I tried many examples from the XSS cheatsheet and hand-crafted ones. The result is that nearly no malicious parts get through. Yes nearly.

The <code> tag gets through:

RedCloth.new('<code onmouseover="bad_code_here">asdf</code>', [:filter_html]).to_html
<code onmouseover="bad_code_here">asdf</code>

I've created a ticket for that.

 

Also remember that CSS injection will work in textile, if you allow styles. See the earlier post for that.

Nevertheless the new version is far better. And in combination with a whitelist (namely Rails' sanitize() method) it is even secure.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (5)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
  • Response
  • Response
  • Response
    I acquire an app that benefits cloth to style dispatchs. I am arduous to clench up the defense further sole empower HTML produced through fabric markup. So I enabled filter_html choice as each red cloth docs.
  • Response
    Response: red more
    Ruby on Rails Security Project - Journal - New RedCloth security

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>