ActiveRecord::UnknownAttributeError: unknown attribute: <script type

rubyonrails-talk
1

Has anyone seen this happening to their apps?

I'm starting to get errors like this come across from one of my apps:

  ActiveRecord::UnknownAttributeError: unknown attribute: <script type

The parameters being sent are:

{"user"=>   {"email_confirmation"=>"someone@example.com",    "wants_new_message_notifications"=>"1",    "is_admin"=>"0",    "<script type"=>"=MyLastName",    "first_name"=>"MyFirstName",    "email"=>"someone@example.com"}, "account_id"=>"1", "action"=>"create", "controller"=>"users", "_"=>""}

Obviously it throws this error since my user model doesn't have a property named "<script type".

So far it looks like it's coming from Safari only, both Windows and Mac.

I'm wondering what could be renaming the form field names on the client side to cause this? I have verified that the rendered HTML is correct.

2

How? Using the W3C validator?

I'd bet on a mis-matched/imbalanced quotes and/or tags somewhere close to that input field.

Unless you have some JavaScript doing some funny innerHTML insertions; but easy enough to turn off JS and see if the error recurs.

FWIW,

3

Could be a bug or even someone trying to inject malicious javascript code into your app. Either case its a good practice to have these kind of scenarios covered by tests.

You should also make sure that some fields are protected from mass-assignment. In your hash you have is_admin => 0. If you have in your controller:   User.create params[:user]   # or   @user.update_attributes params[:user]

Then anybody can create an admin user by posting is_admin=1, unless you protect it in your model like this:

class User < ActiveRecord::Base   attr_protected :is_admin   # or   attr_accessible :name, :email, :username end

Railscasts.com has some screencasts on this topic: Ruby on Rails Screencasts - RailsCasts

4

Could be a bug or even someone trying to inject malicious javascript code into your app. Either case its a good practice to have these kind of scenarios covered by tests.

How? It's not really feasible to strip attrs that don't belong from the params... I'd have to query the targeted model for its list of valid params and then reject non-matches. The idiom is to trustingly throw the whole hash at the model - "User.create params[:user]".

This error doesn't seem to be so much a security risk as just perplexing. Happened again on another action today... random field, "unknown attribute: description<script type". Safari only again.

You should also make sure that some fields are protected from mass-assignment. In your hash you have is_admin => 0. If you have in your controller: User.create params[:user] # or @user.update_attributes params[:user]

Thanks, this has already been done.