« Header Injection And Response Splitting | Main | The updated Rails Security Guide »
Monday
Oct132008

New RedCloth security

RedCloth is a module for using Textile in Ruby. Textile is a simple text format that can be converted to HTML, eliminating the need to use HTML directly to create documents, blogs, or web pages.

The new version 4 promises to be faster and without the bugs from version 3. And indeed it feels more reliable and many of the earlier security concers have now been dealt with. For example:

RedCloth.new("<script>alert(1)</script>").to_html

now returns

&lt;script&gt;alert(1)&lt;/script&gt;

instead of

<script>alert(1)</script>

in earlier versions. And it's good that it escapes the input instead of deleting malicious parts. I tried many examples from the XSS cheatsheet and hand-crafted ones. The result is that nearly no malicious parts get through. Yes nearly.

The <code> tag gets through:

RedCloth.new('<code onmouseover="bad_code_here">asdf</code>', [:filter_html]).to_html
<code onmouseover="bad_code_here">asdf</code>

I've created a ticket for that.

 

Also remember that CSS injection will work in textile, if you allow styles. See the earlier post for that.

Nevertheless the new version is far better. And in combination with a whitelist (namely Rails' sanitize() method) it is even secure.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (131)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
  • Response
  • Response
  • Response
    I acquire an app that benefits cloth to style dispatchs. I am arduous to clench up the defense further sole empower HTML produced through fabric markup. So I enabled filter_html choice as each red cloth docs.
  • Response
    Response: red more
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Perception of security may be crudely mapped to measureable target security. For instance, the dread of quakes has been accounted for to be more regular than the trepidation of slipping on the restroom floor despite the fact that the last slaughters a lot of people more individuals than the previous.
  • Response
    Response: utah seo firm
    Perception of security may be poorly mapped to measureable objective security. For example, the fear of earthquakes has been reported to be more common than the fear of slipping on the bathroom floor although the latter kills many more people than the former.
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: kidsbox365.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: go to my site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: lkbenson.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    I am so much like your services. These are helpful to my new life. Those are all using by many students also. And they were getting good knowledge from your services. Thank you for providing these essay services here.
  • Response
    Response: roie
  • Response
    Response: fortune.com
    sdfs
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook votes
  • Response
    Response: related web-site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Ali
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: m&S discount code
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: sarasota seo
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Goji Vita review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: shoes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Windowing
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Alasdair
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Full Guide
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: happy diwali
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: trackback
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Harm Peace
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Rank1stSEO
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: imperial advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: oświetlenie
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: breaking news
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: breaking news
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: led
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: play games online
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: cheap escorts
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Phil St Ores
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Imperial Advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Justin Peatling
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: hosting guide
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brian Poe
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arabela
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: wideofilmowanie
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: arthur falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Imperial Advance
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: bhph note buyers
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arung Jeram Bogor
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: water purification
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: water purification
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Arthur Falcone
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nicholas Alsis
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Derma Nova
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: visit site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Juveliere
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook likes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook likes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Nicholas Alsis
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Puravol Review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Active Cleanse
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: No2 Factor Reviews
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: No2 Factor Reviews
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Metro Redux
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: suresh babu gaddam
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: passer a windows 7
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: eremax
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Maximum Shred
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Maximum Shred
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: pulau pari murah
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: pulau pari murah
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Luma Hydrate
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Ebon Talifarro
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: bus
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Laura Glading APFA
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: UK Models
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: testez moi
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: testez moi
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: unlock iphone 4S
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Code 5 Group
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: usingpeople
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brandon Colker
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Brandon Colker
    Ruby on Rails Security Project - Journal - New RedCloth security

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>