how to avoid cross site scripting in "ruby on rails"
i used the code below
and, i want to know, how and where do we check this script is working or not.
You should escape anything in your views that may be manipulated by a third party, such as attributes and parameters.
Given your example, I have created a user with the name <script type="text/javascript">alert("XSS")</script>. Assuming you're only validating the presence of a name, this would be valid.
<!-- Raw output -->
<script type="text/javascript">alert("XSS")</script>
Client viewing this page with JavaScript enabled will see the standard alert prompt. This demonstrates that I can inject aribtary JavaScript in to your view.
<!-- Escaped output -->
<script type="text/javascript">alert("XSS")</script>
Client viewing this page with JavaScript enabled will not see the standard alert prompt.
This is a technique you can use to verify whether or not a view is vulnerable to a cross site scripting attack.
An alternate option is to consider using HAML. HAML can be configured to always escape output unless you explicitly ask for it to be raw. I'm lead to believe this will be the default behaviour in Rails 3 using ERb.
If you want to add auto-escape to Rails 2.x, take a look at Michael Koziarski's rails_xss. Does exactly what you're looking for :)
Related
I use <amp-twitter> component to embed twitter data into my page:
<amp-twitter
width="375"
height="472"
layout="responsive"
data-tweetid="885634330868850689"
>
</amp-twitter>
but the resulted page doesn't pass the AMP validation. I'm getting Custom JavaScript is not allowed. I think it is caused by the way the embedded part is generated, namely <script async="" src="https://platform.twitter.com/widgets.js" charset="utf-8"></script> tag being added to the output.
I inspected documentation page for this component with #development=1 and it is valid. But the HTML generated there is completely different from the one I have. How this issue could be fixed?
This is not a problem with the amp-twitter component (which passes validation). Most likely it's a problem with your dev environment, for example, some frameworks inject custom JS to implement live reloading.
Report it as a bug to the AMP project on Github.
I'm taking a look at Hogan.js by Twitter.
http://twitter.github.com/hogan.js/
They talk about being able to precompile templates via the server which I understand can be a perf gain.
Currently every time I render the template I perform the following after an AJAX hit to the server to get data:
var template = Hogan.compile($('#seasonsTmpl').html());
$('#main').html(template.render(data));
Given the following template:
<script type="text/html" id="seasonsTmpl">
<ul>
{{#season}}
<li>{{.}}</li>
{{/season}}
</ul>
</script>
What can I do to "precompile" server side using an ASP.MVC backend? Is this not possible as it seems to be centered around using Node.js?
You have the right idea to optimize your templates. There are two options, and the choice probably depends on whether you want to render your templates client-side or server-side.
If you want to render them client-side, you can do a true precompile using Hogan.js. Yes, this does not run on .NET, but I think you've misunderstood when precompilation is possible. Rather than expecting it to happen on each web request, or page load, you can compile your templates up-front as part of your build process. You will need to install node and npm to set this up, but you only need to run this locally on your own machine, or a build box if you use one. Whenever you update your templates, you would run Hogan again to update the output file. The compiled output will be a JavaScript file full of functions that are optimized for later use. These functions include your template strings, along with the logic to render the data a la Mustache. You can then include the output file just like any other JavaScript include, or include it with the other sources for minification if you do that.
The second option is to render the templates server-side. This is different than precompilation, the server will compile and render the templates again for each web request. Step away from Hogan.js and look at a .NET alternative such as Nustache. The great thing about Mustache is it has a spec and has been ported to several server-side languages.
There's a fundamental difference in these options in terms of where the rendering happens. You might even want to leverage both approaches in certain scenarios, say if you want to render the initial page load server-side using Nustache, but have dynamic elements that must be rendered in the browser using templates precompiled through Hogan.
More info:
Nustache on Github
I hope you find this helpful!
Ok so this is a little random but..
Using MVC 3 (with Razor view engine) with Knockout.js which uses jQuery Templating i've come across a little problem i'm sure is possible to solve.
In order to use jQuery-Tmpl you need to supply a template in
<script type="text/html">
...template elements go here...
</script>
Now the problem is that the razor view engine doesn't seem to generate HTML inside of these specific script tags. It handles standard html, (script type="text/javascript") fine but appears to just not do anything with the aforementioned script tag.
Does anyone know how to get around this issue i.e. how to use MVC 3 Razor with jQuery-Tmpl?
There is a pretty good solution in this blog post: http://www.wiredprairie.us/blog/index.php/archives/1204
This creates a "template" helper that emits the script start/end tags.
Otherwise, I have some ideas for putting templates in external files, which would be another way to avoid this issue. It involves storing the templates in .html files and injecting them into the page into script tags. There are certainly many ways that this could be accomplished though on the client or server side, just a few ideas.
A more general approach if you want to keep things in the document is using #Html.Raw to output html without affecting the edit-time syntax state.
For example:
#Html.Raw("<script type='text/x-dot-template' id='awesome_template'>")
<!-- insert some awesomeness here -->
#Html.Raw("</script>")
I happen to like the helper method suggested above a little better, but it has not always been something I was able to implement, so this is an alternative with its own benefits (namely clarity over ease of use and terseness)
I inherited the management of a Symfony site and need to add some HTMl form tags to one of the "static" pages via the CMS. The scenario I have is:
/index.php/splash/welcome pulls up the welcome screen.
We want to be able to add a subscription button on that page.
The HTML has been supplied for us by the company that handles the subscriptions.
The form post method has an action that references a script on a remote site (no lectures on the security implications please ;-).
When I add the <form... and <input... tags via the CMS admin panel, the tags get removed automatically by Symfony.
Is there a way to tell Symfony to allow these tags?
Thanks in advance,
Marty.
This is goign to depend completely on how the developer set up the CMS. Youre using a rich text editor in source mode i would take a look at that editor's config file and documentation because its probably the one responsible for stripping the tags.
If its just a plain text area i would check the submit action for the edit form and take a look at the code... he may be using something to strip them in there.
If youre using one of the Symfony CMS plugins (Diem, Apostrophe, Sympal) i might be able to help further if i know which one youre using. If its something custom we would need to see the code. This isnt really indiciative of the Symfony core, but rather the CMS youre using.
Can someone point me in a direction so that I can use embed code in Rails? Sometimes I need to embed a slideshow pro file and sometimes I need to embed a youtube file and sometimes a vimeo file in the same area for different entries, it would be easiest to use embed code but it keeps stripping the embed code.
Do use a santize plugin? Can someone point me to a tutorial or give me some help to get me started?
thx
Ok, so the plugin was not the answer to my question --
I wanted to simply add embed code to my rails application -- basically in the same area of my site -- sometimes I wanted to add youtube, sometimes, vimeo and sometimes something coming out of slideshow pro director -- a .swf that is fed by an XML feed.
So after a ton of research on this site and many others -- I found there was a simple solution.
escaping html in RAILS.
xss_terminate
http://www.railslodge.com/plugins/910-xss-terminate
xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won't need to anymore.
But xss_terminate is also flexible. By default, it will strip all HTML tags from user input. This is usually what you want, but sometimes you need users to be able to enter HTML. The plugin allows you remove bad HTML with your choice of two whitelist-based sanitizers, or to skip HTML sanitization entirely on a per-field basis.
This plugin did it like a charm -- just remember to remove the h from
<%=h #article.body %> to <%= #article.body %>
Here's a sample rails app with vimeo integration. It looks like it makes use of this great vimeo plugin. From the README:
This gem implements a full-featured
Ruby interface for the Vimeo API v2.
Sounds like it might be just the ticket!
I normally just create a body area_input with RedCloth, this allows for simply drop embedment code inas well as text image etc.