« Header Injection And Response Splitting | Main | The updated Rails Security Guide »
Monday
Oct132008

New RedCloth security

RedCloth is a module for using Textile in Ruby. Textile is a simple text format that can be converted to HTML, eliminating the need to use HTML directly to create documents, blogs, or web pages.

The new version 4 promises to be faster and without the bugs from version 3. And indeed it feels more reliable and many of the earlier security concers have now been dealt with. For example:

RedCloth.new("<script>alert(1)</script>").to_html

now returns

&lt;script&gt;alert(1)&lt;/script&gt;

instead of

<script>alert(1)</script>

in earlier versions. And it's good that it escapes the input instead of deleting malicious parts. I tried many examples from the XSS cheatsheet and hand-crafted ones. The result is that nearly no malicious parts get through. Yes nearly.

The <code> tag gets through:

RedCloth.new('<code onmouseover="bad_code_here">asdf</code>', [:filter_html]).to_html
<code onmouseover="bad_code_here">asdf</code>

I've created a ticket for that.

 

Also remember that CSS injection will work in textile, if you allow styles. See the earlier post for that.

Nevertheless the new version is far better. And in combination with a whitelist (namely Rails' sanitize() method) it is even secure.

PrintView Printer Friendly Version

EmailEmail Article to Friend

References (31)

References allow you to track sources for this article, as well as articles that were written in response to this article.
  • Response
  • Response
  • Response
  • Response
    I acquire an app that benefits cloth to style dispatchs. I am arduous to clench up the defense further sole empower HTML produced through fabric markup. So I enabled filter_html choice as each red cloth docs.
  • Response
    Response: red more
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Perception of security may be crudely mapped to measureable target security. For instance, the dread of quakes has been accounted for to be more regular than the trepidation of slipping on the restroom floor despite the fact that the last slaughters a lot of people more individuals than the previous.
  • Response
    Response: utah seo firm
    Perception of security may be poorly mapped to measureable objective security. For example, the fear of earthquakes has been reported to be more common than the fear of slipping on the bathroom floor although the latter kills many more people than the former.
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: kidsbox365.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: go to my site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: lkbenson.com
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    I am so much like your services. These are helpful to my new life. Those are all using by many students also. And they were getting good knowledge from your services. Thank you for providing these essay services here.
  • Response
    Response: roie
  • Response
    Response: fortune.com
    sdfs
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: buy facebook votes
  • Response
    Response: related web-site
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Ali
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: m&S discount code
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: sarasota seo
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: Goji Vita review
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Response: shoes
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response
    Ruby on Rails Security Project - Journal - New RedCloth security
  • Response

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>