WHAT'S HOT
PARTS:
Part 7
Part 8
Part 9
Part 10
Part 11
Part 12
Part 13
Part 14
Part 15
Part 16
Part 17
Part 18
Part 19
Part 20
Part 21
Part 22
Part 23
Part 24
Part 25
Prev | Current Page 209 | Next

Brad Ediger

"Advanced Rails"

There
are too many edge cases to be absolutely sure that every piece of potentially malicious
code is blocked. Rails security experts advise against the use of blacklisting.*
* See http://www.rorsecurity.info/2007/08/17/dont-use-strip_tags-strip_links-and-sanitize/.
Web Issues | 141
Whitelisting
Instead, whitelisting is a good option. Rick Olson has created a whitelisting plugin,
white_list (http://svn.techno-weenie.net/projects/plugins/white_list/), that is the preferred
method for preventing cross-site scripting attacks. It is based on a more sound
philosophy (only allowing that which is explicitly allowed), and it has more extensive
tests than the Rails blacklisting helpers. The basic helper usage is very similar to
the other sanitizing methods; after installing the plugin, the whitelisting filter can be
applied as follows:
<%= white_list @post.body %>
The white_list plugin has a default set of tags, attributes, and URI schemes that are
allowed, and by default the