Desinfección de URL para evitar XSS en Rails

In an rails application, users can create events and post an url to link to the external event site.

How do I sanitize the urls to prevent XSS links?

Gracias por adelantado,

example of XSS, which is not preventable by rails' sanitize method

@url = "javascript:alert('XSS')"
<a href="<%=sanitize @url%>">test link</a>

preguntado el 09 de marzo de 12 a las 13:03

4 Respuestas

Try sanitizing once the href is already in a tag like:

url = "javascript:alert('XSS')"
sanitize link_to('xss link', url)

Esto me da:

<a>xss link</a>

respondido 28 nov., 12:06

You can use Rails' Desinfectar method for some basic restriction.

Or you can use rgrove's Desinfectar gem for more options.

Espero que esto ayude.

respondido 09 mar '12, 14:03

@url = "javascript:alert('XSS')" <a href="<%=sanitize @url%>">xss link</a> does not work. i should reflect in my question that i have already tested the rails' sanitize method. - Rickypai

rgrove's sanitize gem is really nice if you need more control than the built-in Rails sanitize gives you. Either way, like Ben's answer points out, you need to sanitize the html for the entire link, not just the URL itself. - antinoma

sanitize works with html strings, not urls. meaning, you can't sanitize an URL itself, but you can sanitize a piece of html which has a link with an malicious url. for example

<%= sanitize "<a href='#{@url}'>Things</a>" %>

That will clean your link of all known malicious attributes

Respondido el 06 de diciembre de 13 a las 00:12

This vulnerability has been fixed since 3.2.13, 3.1.12, 2.3.18 .

The following link also provides a patch you can use in earlier versions.

https://groups.google.com/forum/#!msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ

respondido 21 nov., 13:00

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.