Simon Willison’s Weblog

Two months with Ruby on Rails. Good rant—covers both the good and the bad. The first complaint is the lack of XSS protection by default in the template language. Django has the same problem, but the solution was 90% there when I saw Malcolm at OSCON.

Posted 9th October 2007 at 12:23 pm

Tagged django, python, rails, ruby, security, xss

5 comments

Of course, Rails 2.0 is going to have the CSRF killer plugin built into it out of the box. Which is a very good thing, really.
Tom Armitage - 9th October 2007 15:32 - #
Excellent news. Looks like it takes the same approach as Django's CSRF middleware - munging the form to add an extra hidden input field.
Simon Willison - 9th October 2007 17:03 - #
We've been using the same solution in WordPress for about 18 months. We use a token that is unique to the install, the user, the action, the object of the action, and a 12 hour time period (so the token expires). I'm not aware of any other way to solve the problem (i.e. that doesn't require some sort of token that is checked when you perform the action).

Mark Jaquith - 9th October 2007 19:16 - #
XSS protection by default would mean things like

<%= link_to ... %>

or

<%= render :partial... %>

Would need to be 'unescaped' or have a special insert syntax.

I'd find that worse than the 1 char you have to type at present.

Koz - 9th October 2007 21:49 - #
Koz: not if it was a clever implementation. Those two tags would have to be altered to mark the HTML they returned as "already escaped". Take a look at the Django proposal to see how we're handling it: http://code.djangoproject.com/wiki/AutoEscaping

Simon Willison - 10th October 2007 01:27 - #