I'm pleased to announce the release of Cross Site Sniper 0.2.
Cross Site Sniper is one more addition to the ever growing list of tools that attempt to provide a convenient and DRY method to protect Rails sites from Cross Site Scripting (XSS) attacks. There are many plugins and tools out there that attempt to address this issue, but none of them met my requirements. So, I created Cross Site Sniper, a Ruby on Rails plugin that automatically wraps html_escape() around ActiveRecord attribute methods associated with string and text fields in the database.
* All ActiveRecord classes have their dynamically generated accessor methods associated with String and Text fields automatically escaped. So, no matter if you're calling the method from a view, a helper, or within a controller as part of a RJS response, you don't need to remember to wrap it in h(), because it's already escaped.
* Form fields on edit forms prepopulate with *un*escaped data Users edit exactly what they originally submitted, without special characters disappearing or unexpectedly morphing into strings of other characters.
* Easy one-time access to unescaped data when you need it. eg: @person.name_without_html_escaping
* A convenience method for class definitions is available to fine tune which string and text fields get escaped automatically.
* Original unescaped text is stored in the database and escaped on output This allows for unescaped data to be accessed more conveniently when necessary, and improved scrubbing techniques to be instantly applied to legacy data simply by upgrading or swapping out the plugin with another. ( Some xss plugins choose to escape the data on input, a philosophy I don't personally agree with but some people do, so I thought it was important to explicitly mention this feature here so people could make informed decisions. )
Documentation and Installation instructions are at http://xss.rubyforge.org/
Feed back and suggestions are welcome and encouraged. Big thanks to my employer ( www.wwidea.org ) for allowing this code to be released to the community under the MIT License.