Overview
Safe ERB lets you make sure that the string written by “<%= %>” in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using “h” method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.
The check is done using “tainted?” method in Object class which is a standard feature provided by Ruby – the string is “tainted” when it is read from IO. When ERB::Util#h method is called, this plugin “untaints” the string, and when “<%= %>” is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.
Download
http://www.kbmj.com/users/shinya/rails/safe_erb-0.2.zip
Installation
Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.
Details
The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.
The taint check is done when the ERB template is complied from following methods in ActionController::Base:
- render_template
- render_file
The check is limited to these methods so that it won’t affect other parts of Rails using ERB, such as generators and the views for ActionMailer. To skip checking for specific controllers or actions, you can set @skip_checking_tainted variable to true in your filter or action.
The returned values from the following methods become untainted:
- ERB::Util#h
- ActionView::Helpers::TextHelper#strip_tags
Also, you can always untaint any string manually by calling “untaint” method (standard Ruby feature).
Contact
Shinya Kasatani – kasatani at gmail.com
Problems
SafeERB uses the old(not Rails 2 compatible) methods render_template and render_file. Replace them with render. For Questions on this aks me: hurxmurx ad gmail dot com
Looks like it’s been fixed, see the Google translated version of the Japanese blog post here
Overview
Safe ERB lets you make sure that the string written by “<%= %>” in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using “h” method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.
The check is done using “tainted?” method in Object class which is a standard feature provided by Ruby – the string is “tainted” when it is read from IO. When ERB::Util#h method is called, this plugin “untaints” the string, and when “<%= %>” is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.
Download
http://www.kbmj.com/users/shinya/rails/safe_erb-0.2.zip
Installation
Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.
Details
The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.
The taint check is done when the ERB template is complied from following methods in ActionController::Base:
- render_template
- render_file
The check is limited to these methods so that it won’t affect other parts of Rails using ERB, such as generators and the views for ActionMailer. To skip checking for specific controllers or actions, you can set @skip_checking_tainted variable to true in your filter or action.
The returned values from the following methods become untainted:
- ERB::Util#h
- ActionView::Helpers::TextHelper#strip_tags
Also, you can always untaint any string manually by calling “untaint” method (standard Ruby feature).
Contact
Shinya Kasatani – kasatani at gmail.com
Problems
SafeERB uses the old(not Rails 2 compatible) methods render_template and render_file. Replace them with render. For Questions on this aks me: hurxmurx ad gmail dot com
Looks like it’s been fixed, see the Google translated version of the Japanese blog post here