This project is archived and is in readonly mode.
XSS in 2.3.8 is still opt-in
Reported by Paul Barry | June 2nd, 2010 @ 10:51 PM
My understanding is that the XSS changes that wil be in Rails 3 should still be opt-in only for Rails 2.3, as mentioned here
We’re sorry, all: HTML-safety is meant to be opt-in!
So to test this, I've installed Rails 2.3.8:
$ rvm use ree-1.8.7
info: Using ree 1.8.7 2010.01
$ rvm gemset create rails238
info: Gemset 'rails238' created.
$ rvm gemset use rails238
$ gem install rails
Successfully installed activesupport-2.3.8
Successfully installed activerecord-2.3.8
Successfully installed rack-1.1.0
Successfully installed actionpack-2.3.8
Successfully installed actionmailer-2.3.8
Successfully installed activeresource-2.3.8
Successfully installed rails-2.3.8
7 gems installed
$ gem install sqlite3-ruby
Building native extensions. This could take a while...
Successfully installed sqlite3-ruby-1.2.5
1 gem installed
I generated an app and then I made this ERB template:
<html>
<head>
<%= stylesheet_link_tag("foo") + "<title>Foo</title>" %>
</head>
<body>
<%= link_to("#") + "<p>Foo</p>" %>
<%= "<br/>" %>
</body>
</html>
When it gets rendered as a view for an action, it produces this:
<html>
<head>
<link href="/stylesheets/foo.css" media="screen" rel="stylesheet" type="text/css" /><title>Foo</title>
</head>
<body>
<a href="/main">#</a><p>Foo</p>
<br/>
</body>
</html>
The <br/>
is not escaped, so that's working
as expected, but concatenating a string on to the result of a
helper is being escaped without calling h, so that is not as
expected. Is this a bug or has the behavior in 2.3.8 been changed
intentionally?
Comments and changes to this ticket
-
Paul Barry June 2nd, 2010 @ 10:53 PM
Hmmm....looks like this may have been fixed in the latest stable/2.3.9. Here's the commit:
http://github.com/rails/rails/commit/a815f0c5a3a873aefca76f459ce05d...
I'll take a look at this tonight
-
Ryan Bigg June 2nd, 2010 @ 11:52 PM
- State changed from new to open
I was unable to duplicate this on 2.3.8 or 2-3-stable: See the master and 2-3-stable branches for http://github.com/radar/rails-test-app
-
Paul Barry June 3rd, 2010 @ 12:30 AM
@Ryan Bigg
I can reproduce this in your app as well with rails 2.3.8. Not sure why you can't.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
<h2 style="font-size: 14px">Tickets have moved to Github</h2>
The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>