Cross-site Scripting?

168 views
Skip to first unread message

Jon Crawford

unread,
Oct 1, 2009, 12:35:15 PM10/1/09
to Liquid Templates
Do I need to be worried about XSS attacks with Liquid? Should I make
sure forms don't have the session authenticity token? Are there any
other security measures I need to take into consideration with Liquid?

Thanks for the help!

Garry Tan

unread,
Oct 1, 2009, 2:37:03 PM10/1/09
to liquid-t...@googlegroups.com
If you allow users to upload their own liquid templates, then yes, you
still need to run any input through your own input sanitizers. Liquid
only protects you from a user running arbitrary ruby code through the
templates, but XSS is a problem when the user's login token can be
stolen via XSS, or the user can be made to do malicious / destructive
things via arbitrary javascript by an attacker.

Your best bet is to run it through HTML::WhiteListSanitizer with your
own desired settings / attributes / tags.

Jon Crawford

unread,
Oct 2, 2009, 10:01:56 AM10/2/09
to Liquid Templates
Thanks Garry-

Yes, my users will be customizing their own templates. I'd like to
allow users to link to an external <script> to add fancy ajax or
javascript effects, but that's the part that worries me. As I
understand it, that will give any script access to the viewer's login
cookie and session id.

Do you have any concrete examples about how I should handle this?

Garry Tan

unread,
Oct 2, 2009, 1:23:46 PM10/2/09
to liquid-t...@googlegroups.com
The right way to allow javascript would be to put user generated templates on their own domain and make sure your site sessions are completely separate from their domain sessions. You can probably use subdomains for this.

E.g. yoursite.com has its own session cookies, and usersite1.yoursite.com has a different set completely.

Then as long as when you respond to requests on usersite1.yoursite.com doesn't allow the user to do anything evil or bad (e.g. delete stuff, steal contact info, whatever), you should be OK.
Reply all
Reply to author
Forward
0 new messages