Radiant 1.2 release with XSS?
40 views
Skip to first unread message
Michael Noack
Jan 19, 2014, 5:46:52 PM1/19/14
to radiant...@googlegroups.com
I know people are working hard for a radiant 2.x release based on rails 3/4.
But what do people think about having a Radiant 1.2 release which adds the rails_xss gem and thus the various XSS changes needed to get things working.
Ultimately you've found many of the XSS issues in the master branch anyway so can easily backport.
We've done this on our own radiant fork with various XSS fixes so our site can be secure from this threat: https://github.com/sealink/radiant/commits/1.x
By doing this before the 2.x release, extension authors a chance to get their extensions XSS compliant now. It might also highlight which extensions are 'dead' and allow others to take them over now rather than have to deal with all these issues at once when radiant release 2.x
Your thoughts?
But what do people think about having a Radiant 1.2 release which adds the rails_xss gem and thus the various XSS changes needed to get things working.
Ultimately you've found many of the XSS issues in the master branch anyway so can easily backport.
We've done this on our own radiant fork with various XSS fixes so our site can be secure from this threat: https://github.com/sealink/radiant/commits/1.x
By doing this before the 2.x release, extension authors a chance to get their extensions XSS compliant now. It might also highlight which extensions are 'dead' and allow others to take them over now rather than have to deal with all these issues at once when radiant release 2.x
Your thoughts?
Benny Degezelle
Jan 20, 2014, 12:02:20 PM1/20/14
to radiant...@googlegroups.com
I'm all for it! All the XSS-related commits were on November 14, right?
Op zondag 19 januari 2014 23:46:52 UTC+1 schreef Michael Noack:
Op zondag 19 januari 2014 23:46:52 UTC+1 schreef Michael Noack:
Michael Noack
Jan 20, 2014, 6:06:54 PM1/20/14
to radiant...@googlegroups.com
Yes. I can make a PR if needed
Michael Noack
Jan 20, 2014, 6:07:42 PM1/20/14
to radiant...@googlegroups.com
Probably also worth noting we've fixed various extensions that we use (see any extension in https://github.com/sealink) and usually one of the last 10 commits is fixing an XSS issue.
Jim Gay
Jan 27, 2014, 12:05:32 PM1/27/14
to radiant...@googlegroups.com
Thanks for looking into it Michael!
> --
> --
> Radiant CMS Dev Mailing List
> Post: radiant...@googlegroups.com
> Unsubscribe: radiantcms-de...@googlegroups.com
> Group Site: http://groups.google.com/group/radiantcms-dev/
> ---
> You received this message because you are subscribed to the Google Groups
> "Radiant CMS: Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to radiantcms-de...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Write intention revealing code #=> http://www.clean-ruby.com
Jim Gay
Saturn Flyer LLC
571-403-0338
> --
> Radiant CMS Dev Mailing List
> Post: radiant...@googlegroups.com
> Unsubscribe: radiantcms-de...@googlegroups.com
> Group Site: http://groups.google.com/group/radiantcms-dev/
> ---
> You received this message because you are subscribed to the Google Groups
> "Radiant CMS: Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to radiantcms-de...@googlegroups.com.
> For more options, visit https://groups.google.com/groups/opt_out.
--
Write intention revealing code #=> http://www.clean-ruby.com
Jim Gay
Saturn Flyer LLC
571-403-0338
Benny Degezelle
Jan 30, 2014, 7:34:50 AM1/30/14
to radiant...@googlegroups.com
I just pulled your changes and fixed some issues, all tests pass again.
Op maandag 27 januari 2014 18:05:32 UTC+1 schreef Jim Gay:
Jim; I went ahead and removed the deprecated r:url tags, as those were marked w/ deadline 1.2.
I had my doubts about initializers/radius_patch.rb, but any double? tag could have html nested into it so I guess that stands.
Radius can not be patched itself as there is (rightfully I think) no notion of XSS there.
Op maandag 27 januari 2014 18:05:32 UTC+1 schreef Jim Gay:
Reply all
Reply to author
Forward
0 new messages