VERBOTEN_TAGS and VERBOTEN_ATTRS

Hey all,

I’ve found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS constants
let far too much malicious code into a page.

I’m not talking about ugly-- I’m talking about stuff like javascript
redirects Bad!

Since they’re customizable, I have now:

ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script
iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i

(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)

It would be nice if these modifications made it into the trunk, so no
one
else has the problems I’ve seen in production.


Justin Dossey

Justin Dossey wrote:

ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i

(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)

It would be nice if these modifications made it into the trunk, so no one
else has the problems I’ve seen in production.


Justin Dossey

Then submit a patch to the rails trac…

dev.rubyonrails.org

_Kevin

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs