* Anonce, or ???number used once,??? is a random value generated by the server that the client must include with
its request. Because the nonce is different on each request, the server can ensure that the same request is not
sent twice.
140 | Chapter 5: Security
In many cases, this is desirable: a blog will allow users to comment on entries, in
some cases adding their own HTML. This can expose a vulnerability: if script tags
are not filtered out before displaying the content, they are exposed to viewers as if
part of the third-party site. This can bypass browser security policies, as browsers
usually restrict scripts??™ access permissions based on the origin of the code. If the code
appears to be coming from the target site, it can access information (e.g., cookies)
belonging to the target site.
Mitigation
Defending against XSS vulnerabilities can be either very easy or very difficult. If the
application in question does not allow untrusted users to enter HTML, defending
against XSS is easy. In this case, each HTML character must be escaped before output.
The Rails h( ) method escapes all special HTML characters for you:
<% @post.comments.each do |comment| %>
<%=h comment.text %><% end %>
On occasion, there is debate over whether to store content that must be escaped for
display in its plain-text or escaped forms. The advantage of storing data escaped is that
you never forget to escape it for display; the advantage of storing it unescaped is that it
is in its ???natural??? state.
Pages:
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219