Why the h can't Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.
Sign in with 
OpenID
Why the h can't Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.
It's pretty simple really, we have helpers that produce markup.
<%= link_to "Home", home_url %>
If we escape by default we can't do that. Unless, that is, we use some nasty hack like string tainting.
Perl's hardly held up as a paragon of XSS virtue, so tainting won't magically save us.
You don't seem to use 'tainting' in the perl / ruby sense, just have people opt-out. Like the jstl escapeXml option. We could have an 'unescape' function, but I'm not really sure that that's an improvement.
Either way, it's far too late in our release process to go breaking every single application out there :-).
For those who want it there's already a plugin:
http://wiki.rubyonrails.org/rails/pages/Safe+ERB
I'll keep putting h where it's needed and enjoy the benefits of a white-list based html sanitiser and built-in CSRF protection :)
How does the CSRF protection work? I hadn't seen that feature of Rails. Django has had CSRF protecting middleware for ages but I worry that most people don't turn it on.
The way we handled auto-escaping in Django was designed to be backwards compatible with most existing applications (stuff that had already been explicitly escaped in a template wouldn't be double-escaped).
The CSRF protection stores a random token in the session. The form_tag helpers and co automatically add it to a hidden field.
Filters then check POST requests contain the right value. For all the gory details:
http://dev.rubyonrails.org/browser/trunk/actionpac k/lib/action_controller/request_forgery_protection .rb
The only reports of failure that I've seen are from people who reset the session to prevent session_fixation attacks. If someone goes back and subits a form, they have the old token.
We've removed those URL based sessions now, so hopefully that won't hurt too many more people.
There's a plugin for Rails that works with frozen/tainted strings.
All in all I believe this would be a non-feature. You can't have a framework fix what's wrong with the developer's understanding of how to develop web applications.
Hendrik Mans - 2nd December 2007 13:48 - #
Hendrik: I'd argue that auto-escaping isn't about protecting poor developers who don't understand the threat of XSS so much as it's about protecting smart developers from one mistake completely compromising the security of their application.
(The "oscape" typo in the title is bugging me out of all proportion here.)