It’s been nice to see that there’s some interest in Acts As Sanitized.
John Nunemaker referred me to the White List plugin by Rick Olsen, which seeks to solve a similar problem but for views, not models. Rick himself then mentioned that the sanitize method passes only a fraction of the test cases that he’s adapted from Rsnake’s XSS Cheat Sheet, something I’m well aware of.
Over the next couple days I’ll be expanding my test cases to encompass the XSS Cheat Sheet. Beyond that, I’ll be providing an enhanced filter along the lines of Rick’s solution. Rick has clearly done the difficult legwork here; the rest is just a matter of approach and implementation details.
Any other feature requests while I’m at it?
4 comments:
<em>This comment was imported.</em>
Author: <a href="http://blog.evanweaver.com">evan</a><br />
Posted: 2007-01-16 02:44:57<br />
Hey, can you publish a feed to your blog only? The delicious integration is kinda ick.
<em>This comment was imported.</em>
Author: <a href="http://www.al3x.net">al3x</a><br />
Posted: 2007-01-16 03:29:36<br />
You can find such a feed here: "http://al3x.net/entries.rss":http://al3x.net/entries.rss
<em>This comment was imported.</em>
Author: <a href="http://justlooking.recursion.org">Luke Francl</a><br />
Posted: 2007-01-22 18:29:57<br />
Alex,
Good to see you're working on this, since sanitize fails against a number of those clever attacks. Not knowing you were working on this, as a sort of work around, I added a new option to acts_as_sanitized to use Rick's white list plugin if it's available. It's as basic as you'd expect, but I can send you the code if you want.
I do have a feature request, too: It would be nice if I could specify different levels of filtering on different fields.
For example, on the 'title' field, I'd like all HTML to be stripped, but on the 'body' field, I'd like to use a white list.
<em>This comment was imported.</em>
Author: <a href="http://justlooking.recursion.org">Luke Francl</a><br />
Posted: 2007-01-24 18:30:13<br />
Alex,
Here's another request, if you will.
We found an interesting problem with acts_as_sanitized, observers, and migrations.
We dropped our development database and re-created it from scratch. Models with observers configured in environment.rb caused the model to be loaded, which causes acts_as_sanitized to load the columns...but the table didn't exist yet, so that failed.
I just surrounded the self.columns.each... code with a begin/rescue and logged the error.
Anyway, thought you might like to know. There may be a better way to fix this, I'm not sure.
Post a Comment