> On 2/12/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote:
> > As I said before, I (or we, for whoever is in support) can
> solve the
> > minor details, and provide solutions with a little bit of
> creativity.
> > I am of the opinion that if you see points such as the ones you
> > mentioned, you may also be able to see how to fix them, if
> you so desire. I have some suggestions.
>
> Nathaniel, I don't think that this is a solvable problem.
> What would you propose the output of link_to and other
> helpers be? Why can't malicious users encode their text in
> such a way.
One idea might be to have any helper method to have a wrapper around it,
which is cleaned after using the <%= method. Such an example,
Such as link_to(:controller => 'xss', :action => 'safe') in it's raw state
appends and prepends the {{SAFE}} and {{/SAFE}} string, which it's contents
are ignored by the <%= method. At the conclusion of execution of the <%=
tag, a simple text.gsub(/{{(/?)SAFE}}/, '') tag is performed and the safe
tags are stripped.
<%= '<xss hack here>' + link_to(:controller => 'xss', :action => 'safe') +
'</xss hack here>' %>
This would clean the xss, and ignore the link_to.
> Given the complexity involved in solving these problems, and
> the performance cost of escaping everything (it's
> considerable). This isn't something we're going to change.
I was under the impression that Rails is an open source project, I thought?
I didn't intend to presume that you would be the one fixing it. I was simply
asking for suggestions (or opinions?).
-Nb
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nathaniel S. H. Brown http://nshb.net
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_______________________________________________
Rails-core mailing list
[email protected]
http://lists.rubyonrails.org/mailman/listinfo/rails-core
