that solution is ugly. for(;;) means code on server side to add it and code on client side to slice. While .xhr? check is one line in ApplicationController.
On Saturday, December 14, 2013 7:11:03 AM UTC+7, Pier-Olivier Thibault wrote: > > Just had a flash about this issue. > > JSON has a similar issue and it solved it by prepending 'for (;;);' before > the JSON payload. > > Wouldn't it be an idea to prepend any js.erb template with 'for (;;);' and > use String.substr(9) (9 being the size of the for loop) to remove that loop > before injecting the payload in the <script>. This way, JS would be safe > without need to do extra verification on the server side. > > On Monday, December 9, 2013 12:51:41 AM UTC-5, DHH wrote: >> >> Jeremy Kemper is assigned to this. We will get this in shortly. >> >> On Dec 8, 2013, at 20:19, Egor Homakov <[email protected]> wrote: >> >> so if/when this will make it to master? >> >> On Thursday, November 28, 2013 3:41:37 PM UTC+7, Egor Homakov wrote: >>> >>> https://github.com/rails/rails/issues/12374#issuecomment-29446761 >>> >>> Here in discussion I proposed to deprecate JS responder because this >>> technique is insecure and not pragmatic way to transfer data. >>> It can be exploited in this way >>> http://homakov.blogspot.com/2013/05/do-not-use-rjs-like-techniques.html >>> >>> i find this bug very often so i know what i'm talking about. With it >>> attacker can steal user data and authenticity_token if templates with form >>> were leaked too. >>> >>> >>> >>> -- >> You received this message because you are subscribed to a topic in the >> Google Groups "Ruby on Rails: Core" group. >> To unsubscribe from this topic, visit >> https://groups.google.com/d/topic/rubyonrails-core/rwzM8MKJbKU/unsubscribe >> . >> To unsubscribe from this group and all its topics, send an email to >> [email protected]. >> To post to this group, send email to [email protected]. >> Visit this group at http://groups.google.com/group/rubyonrails-core. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Core" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/rubyonrails-core. For more options, visit https://groups.google.com/groups/opt_out.
