ActiveRecord::UnknownAttributeError: unknown attribute: <script type

jemminger · August 10, 2010, 7:22pm

Has anyone seen this happening to their apps?

I’m starting to get errors like this come across from one of my apps:

The parameters being sent are:

{“user”=>
{“email_confirmation”=>“[email protected]”,
“wants_new_message_notifications”=>“1”,
“is_admin”=>“0”,
“<script type”=>"=MyLastName",
“first_name”=>“MyFirstName”,
“email”=>“[email protected]”},
“account_id”=>“1”,
“action”=>“create”,
“controller”=>“users”,
“_”=>""}

Obviously it throws this error since my user model doesn’t have a
property named “<script type”.

So far it looks like it’s coming from Safari only, both Windows and
Mac.

I’m wondering what could be renaming the form field names on the
client side to cause this? I have verified that the rendered HTML is
correct.

jemminger · August 10, 2010, 9:05pm

On Tue, Aug 10, 2010 at 10:21 AM, jemminger [email protected] wrote:

{“user”=>
{“email_confirmation”=>“[email protected]”,
“wants_new_message_notifications”=>“1”,
“is_admin”=>“0”,
“<script type”=>“=MyLastName”,
“first_name”=>“MyFirstName”,

I’m wondering what could be renaming the form field names on the
client side to cause this? I have verified that the rendered HTML is
correct.

How? Using the W3C validator?

I’d bet on a mis-matched/imbalanced quotes and/or tags somewhere
close to that input field.

Unless you have some JavaScript doing some funny innerHTML
insertions; but easy enough to turn off JS and see if the error recurs.

FWIW,

Hassan S. ------------------------ [email protected]
twitter: @hassan

jemminger · August 11, 2010, 6:27pm

On Aug 10, 4:47 pm, Gudleik R. [email protected] wrote:

Could be a bug or even someone trying to inject malicious javascript
code into your app.
Either case its a good practice to have these kind of scenarios
covered by tests.

How? It’s not really feasible to strip attrs that don’t belong from
the params… I’d have to query the targeted model for its list of
valid params and then reject non-matches. The idiom is to trustingly
throw the whole hash at the model - “User.create params[:user]”.

This error doesn’t seem to be so much a security risk as just
perplexing. Happened again on another action today… random field,
“unknown attribute: description<script type”. Safari only again.

You should also make sure that some fields are protected from mass-assignment.
In your hash you have is_admin => 0. If you have in your controller:
User.create params[:user]

or

@user.update_attributes params[:user]

Thanks, this has already been done.

jemminger · August 10, 2010, 10:49pm

Could be a bug or even someone trying to inject malicious javascript
code into your app.
Either case its a good practice to have these kind of scenarios
covered by tests.

You should also make sure that some fields are protected from
mass-assignment.
In your hash you have is_admin => 0. If you have in your controller:
User.create params[:user]

or

@user.update_attributes params[:user]

Then anybody can create an admin user by posting is_admin=1, unless
you protect it in your model like this:

class User < ActiveRecord::Base
attr_protected :is_admin

or

attr_accessible :name, :email, :username
end

Railscasts.com has some screencasts on this topic:
Ruby on Rails Screencasts - RailsCasts

–
gudleik

On Tue, Aug 10, 2010 at 9:04 PM, Hassan S.