> One idea might be to have any helper method to have a wrapper around it,
> which is cleaned after using the <%= method. Such an example,
>
> Such as link_to(:controller => 'xss', :action => 'safe') in it's raw state
> appends and prepends the {{SAFE}} and {{/SAFE}} string, which it's contents
> are ignored by the <%= method. At the conclusion of execution of the <%=
> tag, a simple text.gsub(/{{(/?)SAFE}}/, '') tag is performed and the safe
> tags are stripped.
>
> <%= '<xss hack here>' + link_to(:controller => 'xss', :action => 'safe') +
> '</xss hack here>' %>
>
> This would clean the xss, and ignore the link_to.
So I'll just send the following into your XSS variables.
{{SAFE}}<script type="text/javascript">steal_all_your_stuff()</script>{{/SAFE}}
If we do something like this, XSS protection is impossible.
> I was under the impression that Rails is an open source project, I thought?
> I didn't intend to presume that you would be the one fixing it. I was simply
> asking for suggestions (or opinions?).
Rails is an open source project, but patches don't get applied
without review by one of us on the core team. I've discussed it with
a few of the other guys and we're not going to change this.
The other option is for you to release a plugin which implements this
kind of behaviour. But given the performance problems it'll
introduce, and the fact it makes security more difficult, I don't
think it would be a good idea.
--
Cheers
Koz
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
