I have stored the data in my database as html content.
Whenever user giving the input it will inject my html.
What should I do before storing into db I need to sanitize my data. Or I can store data whatever it. While displaying in view only I need to do something for injection.
I would recommend you to refer to the XSS Cross Site Scripting cheatsheet
and for Rails in particular, as stated:
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
<%= sanitize #comment.body, tags: %w(strong em a), attributes: %w(href) %>
Related
I am building a multilingual application using rails-i18n Ruby on Rails.
Most of content (and DB entries) I have to translate is pure text, though part of it has some embedded html.
I was thinking of using <%= raw t('translation_key') %> instead of the straight <%= t('translation_key') %> to account for future changes that might include html.
If I adopt <%= raw t('translation_key') %> throughout the all website, am I going to get any (negative) impact when it comes to
website performance
website security
You just just append _html to your tag keys to handle HTML in translation tags:
en:
key_one: test text
key_one_html: <p>test text</p>
Then the standard code will work:
<%= t('key_one_html') %>
Performance aspect:
The performance impact should be negligible. Calling raw copies the parameter into a new string (an ActiveSupport::SafeBuffer to be precise) with its html_safe flag set to true. On the other hand there is no longer HTML escaping performed on that string.
Security aspect:
There are more substantial drawbacks to using raw everywhere.
You say your translations are read from the database. Can the user edit these translations? If so...
You risk HTML injections: A malicious user could just enter a <script> tag.
All your translations must to be HTML safe from now on. That means you have to manually escape all your translations, i.e. you have to replace <,>, and &.
Alternatives:
There are other options if you need to incorporate HTML into your translations:
Use the _html suffix judiciously to prevent automatic escaping
Use localized views and partials, i.e. index.en.html, _footer.de-DE.html to translate larger parts of your views.
To streamline translation of database entries, you try
Globalize
hstore_translate (PostgreSQL only)
Conclusion:
Using raw everywhere will lead to a lot of problems along the road. Save yourself a lot of trouble and just use it "as needed".
You could also use the globalize gem for bigger text / html sections of content.
https://github.com/globalize/globalize/blob/master/README.md
It also supports eager loading if you're worried about performance.
I am member of team with 25 developer.we use mvc.net application that security is a n important for us.we use #Html.AntiForgeryToken() and anything that related with security but We are concerned about Prevent XSS hacking.
we encode every where but some places we need html from user.
What is the best practice for Prevent XSS hacking?
The golden rule to prevent XSS is to HTML encode everything that you are outputting to a view.
Hopefully the # Razor function already does that automatically for you.
So when you write one of the following you are pretty safe:
#Model.SomeProperty
#Html.DisplayFor(x => x.SomeProperty)
You should be careful with the #Html.Raw helper:
#Html.Raw(Model.SomeProperty)
If you use that the output will not be HTML encoded. This doesn't mean that your site is vulnerable to XSS injection. For example if you have total control of the property and is not coming from an user input you should be pretty safe.
If you are using the WebForms view engine then you should be more careful because the <%= function doesn't HTML encode the output.
So the following is not safe:
<%= Model.SomeProperty %>
You should use one of the following:
<%= Html.DisplayFor(x => x.SomeProperty) %>
<%: Model.SomeProperty %>
If on the other hand you need to output some user input without HTML encoding it I would recommend you using the AntiXSS library from Microsoft. It will filter out all dangerous tags from the input and you are safe to output it. For example it will remove the <script> tags from the input. There's also an article on MSDN about this library that you might checkout.
I have a model which has a template field. This template is HTML and has variables which get substituted. This template is then converted into a PDF using wicked_pdf.
How should I take the template which the user enters and safely do variable substitution? Allowing it to be an ERB template seems to be setting myself up for some huge security holes. What safe solutions are there?
Edit:
So, for example, I have my template class/model which has two fields, a name and an HTML field. This is a user editable class. There will be specific variables available to the HTML in the template class (Company Name, price, etc.). I am hoping to use a HTML templating system, but since this is user created content, it isn't trusted. Only variable substitution will be done, nothing more.
Rails provides a couple of helper functions, namely hto escape values on display for preventing such behavior.
<%= h #user.name %>
h is an alias of html_escape
Anyone who's done anything much with PHP and receiving rich-text input from something like TinyMCE has (probably) used something like HTMLPurifier to keep the nasties out of the HTML you're intentionally allowing the user to submit.
For example, HTMLPurifier will take a string of (potentially malformed) HTML and strip out disallowed elements and attributes, try to fix broken HTML, and in some cases convert things like <i> to <em>.
Does anything equivalent exist for Rails (3)? What's the generally accepted way to sanitize input from rich text editors in Rails so that you can output the unescaped HTML onto a web page and know that stuff like <style> and <script> tags have been taken out of it and it's not going to break your page (or steal your cookies!)?
EDIT | Anybody used Sanitize? Any other options with pro's & con's?
You can use the sanitize method.
sanitize(html)
There is also a Sanitize gem.
Sanitize.clean(html)
I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.
What is the recommended way to escape HTML to prevent XSS vulnerabilities in Rails apps?
Should you allow the user to put any text into the database but escape it when displaying it? Should you add before_save filters to escape the input?
There are three basic approaches to this problem.
use h() in your views. The downside here is that if you forget, you get pwnd.
Use a plugin that escapes content when it is saved. My plugin xss_terminate does this. Then you don't have to use h() in your views (mostly). There are others that work on the controller level. The downsides here are (a) if there's a bug in the escaping code, you could get XSS in your database; and (b) There are corner cases where you'll still want to use h().
Use a plugin that escapes content when it is displayed. CrossSiteSniper is probably the best known of these. This aliases your attributes so that when you call foo.name it escapes the content. There's a way around it if you need the content unescaped. I like this plugin but I'm not wild about letting XSS into my database in the first place...
Then there are some hybrid approaches.
There's no reason why you can't use xss_terminate and CrossSiteSniper at the same time.
There's also a ERb implementation called Erubis that can be configured so that any call like <%= foo.name %> is escaped -- the equivalent of <%= h(foo.name) %>. Unfortunately, Erubis always seems to lag behind Rails and so using it can slow you down.
If you want to read more, I wrote a blog post (which Xavor kindly linked to) about using xss_terminate.
The h is an alias for html_escape, which is a utility method for escaping all HTML tag characters:
html_escape('<script src=http://ha.ckers.org/xss.js></script>')
# => <script src=http://ha.ckers.org/xss.js></script>
If you need more control, go with the sanitize method, which can be used as a white-list of tags and attributes to allow:
sanitize(#article.body, :tags => %w(table tr td), :attributes => %w(id class style))
I would allow the user to input anything, store it as-is in the database, and escape when displaying it. That way you don't lose any information entered. You can always tweak the escaping logic later...
Use the h method in your view template. Say you have a post object with a comment property:
<div class="comment">
<%= h post.comment %>
</div>
Or with this plugin - no need for h 8)
http://railspikes.com/2008/1/28/auto-escaping-html-with-rails
I've just released a plugin called ActsAsSanitiled using the Sanitize gem which can guarantee well-formedness as well being very configurable to what kind of HTML is allowed, all without munging user input or requiring anything to be remembered at the template level.