Forum: Ruby on Rails sanitize dangers

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
059463476276884f7bc88b1c10f8320b?d=identicon&s=25 Jonathan Baudanza (Guest)
on 2006-05-11 05:05
I've noticed that it is possible to pass javascript unaltered through
the sanitize function using CSS.  For example:

sanitize( "<style
type='text/css'>body{background-image:url('javascript:window.alert(1)')
}</style>" )

IE will execute the javascript.  Firefox will not.  I haven't tried it
with any other browsers.

This isn't really a bug, since the documentation for sanitize doesn't
claim to clean up CSS.  The docs should perhaps contain a disclaimer
that sanitize alone is not sufficient for removing javascript and
preventing XSS attacks.
317aad7f9f0b69a440faca74bbe22b20?d=identicon&s=25 Jakob Skjerning (Guest)
on 2006-05-11 21:54
(Received via mailing list)
Jonathan Baudanza wrote:
> I've noticed that it is possible to pass javascript unaltered through
[SNIP]
> This isn't really a bug, since the documentation for sanitize doesn't
> claim to clean up CSS.  The docs should perhaps contain a disclaimer
> that sanitize alone is not sufficient for removing javascript and
> preventing XSS attacks.

I'd call this a bug seeing that sanitize ensures "that arbitrary
Javascript cannot be executed" and suggest you file a bug report in trac
- and ofcourse a nice test-based patch :)
Ff82af3238a57fbd1212832ec1a19f28?d=identicon&s=25 Dylan Stamat (Guest)
on 2006-05-11 23:07
(Received via mailing list)
Jonathan, will you let us know if you're going to send the ticket in ?
Just want to make sure this one doesn't slip through the cracks :)
059463476276884f7bc88b1c10f8320b?d=identicon&s=25 Jonathan Baudanza (Guest)
on 2006-05-12 00:24
Dylan Stamat wrote:
> Jonathan, will you let us know if you're going to send the ticket in ?
> Just want to make sure this one doesn't slip through the cracks :)

http://dev.rubyonrails.org/ticket/4154

Looks like it's already being tracked.  I think what is really needed is
a sanitize_css method that sanitize can use to clean <style> tags and
style= attributes.
This topic is locked and can not be replied to.