html_safe radiant layouts
17 views
Skip to first unread message
Michael Noack
Aug 14, 2013, 10:17:14 PM8/14/13
to radiant...@googlegroups.com
Hi,
I'm currently upgrading an app from Radiant 1.0.1 to the latest stable (1.1.3).
We're dealing with XSS issues so we're tring to get the rails_xss plugin working. Things mostly work (and I've backported many fixes from master to the 1.1.3 version) but the layouts still completely escape.
We aren't using master as we want to be on a stable release.
It appears the only fix I can get it to work is the following:
app/models/page.rb
def parse(text)
- lazy_initialize_parser_and_context.parse(text)
+ lazy_initialize_parser_and_context.parse(text).html_safe
end
Obviously at some point the layouts/snippets must be escaped and this seems like a reasonable point BUT I'm wondering if there is anything else to do? (other than rely on all tag definitions to be returning html_safe content)
I'm currently upgrading an app from Radiant 1.0.1 to the latest stable (1.1.3).
We're dealing with XSS issues so we're tring to get the rails_xss plugin working. Things mostly work (and I've backported many fixes from master to the 1.1.3 version) but the layouts still completely escape.
We aren't using master as we want to be on a stable release.
It appears the only fix I can get it to work is the following:
app/models/page.rb
def parse(text)
- lazy_initialize_parser_and_context.parse(text)
+ lazy_initialize_parser_and_context.parse(text).html_safe
end
Obviously at some point the layouts/snippets must be escaped and this seems like a reasonable point BUT I'm wondering if there is anything else to do? (other than rely on all tag definitions to be returning html_safe content)
Jim Gay
Aug 18, 2013, 10:33:39 PM8/18/13
to radiant...@googlegroups.com
This looks like a reasonable solution, though you might want to hook
into it elsewhere.
Will you always know that the text is html_safe?
--
Write intention revealing code #=> http://www.clean-ruby.com
Jim Gay
Saturn Flyer LLC
571-403-0338
Michael Noack
Aug 21, 2013, 8:16:17 AM8/21/13
to radiant...@googlegroups.com
Thanks.
We're finding the occasional XSS that weren't in radiant master.
Feel free to check our radiant fork at http://github.com/sealink/radiant for XSS fixes that will no doubt be of use for radiant.
We're finding the occasional XSS that weren't in radiant master.
Feel free to check our radiant fork at http://github.com/sealink/radiant for XSS fixes that will no doubt be of use for radiant.
Michael Noack
Aug 21, 2013, 8:19:45 AM8/21/13
to radiant...@googlegroups.com
Exact link to changes are https://github.com/sealink/radiant/commits/1.1.3
Reply all
Reply to author
Forward
0 new messages