[OSM-dev] XSS Vulnerabilities

Tom Hughes tom at compton.nu
Tue Jan 15 09:08:59 GMT 2008


In message <55F14BF8-BBF5-4E0C-BB5D-DB9E015C1A4A at asklater.com>
        SteveC <steve at asklater.com> wrote:

> On 15 Jan 2008, at 00:17, Tom Hughes wrote:
>
>> It's anything but trivial to fix (without loosing functionality) which
>> is why it hasn't been done before.
>>
>> If whoever originally wrote the code had thought about these things
>> then it would have been easy, but dealing with the legacy data that we
>> now have makes it hard.
>
> when you print the content cant you just escape html brackets?
>
> <%= blah.content.gsub('<', '&lt') %>
>
> in fact isnt there a rails function to do it?

Yes - the h() function, and that is what I have added.

It breaks all the harmless HTML tags people have used in their
diary entries though, most notably any links people have put in.

What we should have done is use one the plugins that offers a
wiki-ish type benign markup but now we have legacy entries using
raw HTML tags.

Tom

-- 
Tom Hughes (tom at compton.nu)
http://www.compton.nu/




More information about the dev mailing list