Forum: Ruby on Rails text_area_tag not escaping content by default

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
mla m. (Guest)
on 2009-02-15 22:11
(Received via mailing list)
I stumbled on the fact that text_area_tag does not HTML escape its
content by default. For example:

  text_area_tag "body", "</textarea><script>alert('xss');<script>"

If you try that, you'll see that the content is inserted literally.
Considering the fact that the tag helpers all encode their attribute
values by default, does this surprise anyone else?

I found a ticket on this issue from a couple years ago from Chris M.
but it looks like it was dropped:
http://dev.rubyonrails.org/ticket/5929

It seems like there were two main arguments against encoding:

1. backwards compatibility
2. some people depend on this behavior to allow HTML in their text
area boxes

#2 I don't really understand. You can allow HTML...just escape it.
It's equivalent to allowing HTML in a text field tag, no? You have to
either know the value is sanitized or escape it.

#1 I can understand, but that's not a show-stopper, right? There have
been numerous non-backwards-compatible changes adopted by introducing
them slowing, providing config options, etc.

I'm guessing there's quite a few people using text_area_tag and
assuming the content is being safely escaped by default. And every one
of them is an XSS problem.

It's an issue with anything that uses content_tag, of course. Try
this, for example:

  label_tag 'foo', "</lable><script>alert('xss2')</script>"

At the very least, are we amendable to adding a note in the
FormTagHelper docs about the escaping rules?
Chris M. (Guest)
on 2009-02-19 18:38
(Received via mailing list)
On Feb 15, 8:10 pm, mla <removed_email_address@domain.invalid> wrote:
> I found a ticket on this issue from a couple years ago from Chris M.
> but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929

I've put up an updated ticket and patch:

http://rails.lighthouseapp.com:80/projects/8994/ti...

Since making that first patch two years ago, the corresponding
text_area method in FormHelper now escapes its contents by default, so
I think there's a good case for text_area_tag having the same
behaviour, for consistency's sake if nothing else.

Chris
Chris M. (Guest)
on 2009-02-19 18:38
(Received via mailing list)
On Feb 15, 8:10 pm, mla <removed_email_address@domain.invalid> wrote:
> I found a ticket on this issue from a couple years ago from Chris M.
> but it looks like it was dropped:http://dev.rubyonrails.org/ticket/5929

I've posted a new ticket on Lighthouse with an up-to-date patch:

http://rails.lighthouseapp.com/projects/8994-ruby-...

I also noticed that the text_area method in FormHelper actually does
escape its contents now, so text_area_tag probably should do the same
for consistency's sake if nothing else.

Chris
This topic is locked and can not be replied to.