This project is archived and is in readonly mode.
link_to XSS problem
Reported by Greg Hazel | February 13th, 2010 @ 07:52 PM | in 2.3.6
not_safe = "<i>XSS is fun</i>"
link_to(not_safe, some_path)
produces:
<a href=\"hi\"><i>XSS is fun</i></a>
when I believe it should instead check .html_safe? on the "name" arg, and escape it if it is not safe, producing:
<a href=\"hi\"><i>XSS is fun</i></a>
Comments and changes to this ticket
-
Ryan Bigg March 3rd, 2010 @ 09:32 PM
-1
I cannot reproduce this on the latest edge. Perhaps it has recently been fixed?
-
Greg Hazel March 3rd, 2010 @ 09:40 PM
This was with 2.3.5. It does look like it's fixed in Rails 3.
Backport?
-
Santiago Pastorino March 4th, 2010 @ 12:03 AM
- State changed from “new” to “wontfix”
That's the expected behavior. On 2.3 if you want to escape unsafe text you have to do it explicitly or use http://github.com/rails/rails_xss to activate xss protection.
Please continue helping but tag the issues with the appropiate rails version -
Santiago Pastorino March 4th, 2010 @ 12:06 AM
- Tag changed from “html_safe link_to” to “html_safe link_to, 2.3.x”
-
Greg Hazel March 4th, 2010 @ 12:07 AM
Using rails_xss does not fix the problem. The unsafe HTML is included in the link_to tag, and marked as safe!
-
Jeremy Kemper March 4th, 2010 @ 02:01 AM
- State changed from “wontfix” to “open”
- Assigned user set to “Michael Koziarski”
- Milestone set to “2.3.6”
-
Santiago Pastorino March 4th, 2010 @ 11:12 AM
First of all, that's the expected behavior without rails_xss.
But anyways sorry i wasn't clear enough, I should have said that it works on latest 2-3-stable branch and using http://github.com/rails/rails_xss
That was already fixed with the Backport José and i did of master branch.See links below:
http://github.com/rails/rails/commit/9ca6df83f606a0fb8be3815328111d...
http://github.com/rails/rails_xss/commit/8a6fc54a9b3a715fb3c73d8c73...Perhaps i shouldn't change the state to wontfix but resolved or duplicate
-
Greg Hazel March 4th, 2010 @ 11:15 AM
Oh! I wasn't aware of http://github.com/rails/rails_xss I'm currently using http://github.com/NZKoz/rails_xss with 2.3.5
Should I switch? Should everyone?
-
Santiago Pastorino March 4th, 2010 @ 11:22 AM
http://github.com/rails/rails_xss doesn't work with 2.3.5.
You should use it with the next 2.3.6 or for now 2-3-stable branch -
-
Santiago Pastorino March 4th, 2010 @ 11:55 AM
- State changed from “open” to “resolved”
-
Greg Hazel May 26th, 2010 @ 01:08 AM
This bug still exists using Rails 2.3.8 and http://github.com/rails/rails_xss
not_safe = "<i>XSS is fun</i>" link_to(not_safe, "/") # => <a href=\"/\"><i>XSS is fun</i></a> -
-
Greg Hazel May 26th, 2010 @ 02:02 AM
This shows the bug, but maybe I am just not including all the right helpers, since it does work from a template.
foo.rb
class << self include ActionView::Helpers::UrlHelper include ActionView::Helpers::TagHelper end not_safe = "<i>XSS is fun</i>" puts link_to(not_safe, "/").inspect> ruby script/runner foo.rb "<a href=\"/\"><i>XSS is fun</i></a>" -
Santiago Pastorino May 26th, 2010 @ 04:10 PM
Greg: this http://github.com/rails/rails_xss/commit/14b75220111a7256efae6ac175... solve your issue upgrade to the latest rails_xss
-
Greg Hazel May 26th, 2010 @ 10:26 PM
Indeed it does! Thanks! This ticket is done, from my perspective.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>
Greg Hazel
Jeremy Kemper
Michael Koziarski
Santiago Pastorino