The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

Ruby Buzz Forum
Rack::NoTags

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Jan Lelis

Posts: 136
Nickname: rbjl
Registered: Aug, 2009

Jan Lelis is an IT student from Dresden/Germany
Rack::NoTags Posted: Nov 14, 2009 8:17 AM
Reply to this message Reply

This post originated from an RSS feed registered with Ruby Buzz by Jan Lelis.
Original Post: Rack::NoTags
Feed Title: rbJ*_*L.net
Feed URL: http://feeds.feedburner.com/rbJL
Feed Description: Hi, I am a fan of Ruby and like to explore it and the world around ;). So I started this blog, where I am publishing code snippets, tutorials for beginners as well as general thoughts about Ruby, the web or programming in general. 		Latest Ruby Buzz Posts
Latest Ruby Buzz Posts by Jan Lelis
Latest Posts From rbJ*_*L.net

Advertisement

This is my submission for the CodeRack contest:

A middleware that removes < and > from all incoming requests.

About

Lots of XSS attacks try to inject some kinds of javascript. But almost every attack requires some html tags to be inserted (in which they can start javascript in some way).

This Rack middleware approaches this by radically removing all < and > in all incoming get/post paramaters.

Note: This means, if your site needs to send < and > in post or get requests, it probably will not work, anymore – you have to change your application design to use this middleware.

There are three modes available:

  • :brackets_only (default)
    substitutes < with &lt; and > with &gt;
  • :valid_html
    substitutes < > & " ’ similar to Rack::Utils#escape_html (also known as h)
  • :paranoid
    deletes < > &lt; &gt; %3C %3E &#60; &#62; &#x3c; &x3e; and similar variations

It is important to keep in mind: By using Rack::NoTags, your website is not suddenly 100% save from XSS attacks. Look at it as just another security-layer.

Example usage in Rails

In your config/environment.rb put

require 'path/to/rack-notags.rb' config.middleware.use Rack::NoTags

To activate a different filter mode, you can do it like this:

config.middleware.use Rack::NoTags, :paranoid

The code

Also available as gist.

Listing 1
/12/rack-notags.rb ruby
# # # #
# Rack::NoTags removes < and > from all incoming requests
# This software is licensed under the CC-GNU GPL version 2.0 or later.
# # # #

module Rack
  class NoTags
    Patterns = { # replacement => [ array, of, patterns ]

:brackets_only => {
  '&lt;' => ['<'],
  '&gt;' => ['>'] },

:valid_xml => { # similar to Rack::Utils#escape_html
  '&lt;'  => ['<'],
  '&gt;'  => ['>'],
  '&amp;' => ['&'],
  '&#39'  => ["'"],
  '&quot' => ['"'] },

:paranoid => { # encodings which might be interpreted as < or > in some situations
  '' => %w[ < > %3C %3E ] + [
        /&[lg]t;?/i,
        /&#0{0,5}6[02];?/,
        /&#x0{0,5}3[ce];?/i ]}
    }

    def initialize(app, mode = :brackets_only)
      @app = app
      @patterns = Patterns[mode.to_sym]
    end
    
    def call(env)
      # get form params in a nice format
      params = Rack::Utils.parse_query(env['rack.input'].read, "&")
      
      # remove @patterns
      params = strip_all(params)
      
      # update envirionment
      env["rack.input"] = StringIO.new(Rack::Utils.build_query(params))
      
      @app.call(env)
    end 
   
  private
    
    # applies each 'to-substitute'-pattern to the string
    def strip(string)
      @patterns.each{|replacement,patterns|
        patterns.each{|pattern|
          string = string.gsub(pattern, replacement)
        }
      }
    
      string
    end
    
    # looks at every param-element an sends it to the strip method
    def strip_all(params)
      ret = {}
      params.each{ |param,value|
        ret[strip(param)] = value.is_a?(Array) ? value.map{|v|strip(v)} : strip(value)
      }
      
      ret
    end
    
  end
end
(c) 2009 Jan Lelis. Please contact me, if you want to use this content.

Read: Rack::NoTags

Topic: Site Upgrade Previous Topic   Next Topic Topic: Cambridge
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use