Ruby on Rails | Screencasts | Download | Documentation | Weblog | Community | Source

Ticket #8877 (closed defect: fixed)

Opened 1 year ago

Last modified 10 months ago

[PATCH] Secure text helpers

Reported by: lifofifo Assigned to: core
Priority: high Milestone: 1.x
Component: ActionPack Version: edge
Severity: normal Keywords:
Cc:

Description

Currently, text helpers strip_links() and strip_tags() are open to XSS attacks. Patch tries to make them as secure as possible.

Thanks.

Attachments

secure_text_helpers.diff (3.1 kB) - added by lifofifo on 07/04/07 20:53:06.
Secure strip_links and strip_tags

Change History

07/04/07 20:53:06 changed by lifofifo

  • attachment secure_text_helpers.diff added.

Secure strip_links and strip_tags

07/04/07 21:56:43 changed by technoweenie

I've got a good white_list plugin that solves this issue: http://svn.techno-weenie.net/projects/plugins/white_list. i'll be pushing to get this and the csrf_killer plugin included for rails 2.0.

07/18/07 11:16:52 changed by lifofifo

  • status changed from new to closed.
  • resolution set to invalid.

07/18/07 11:18:18 changed by lifofifo

  • component changed from ActiveRecord to ActionPack.

09/23/07 00:11:24 changed by rick

  • resolution changed from invalid to fixed.

(In [7589]) Secure #sanitize, #strip_tags, and #strip_links helpers against xss attacks. Closes #8877. [Rick, lifofifo, Jacques Distler]