VERBOTEN_TAGS and VERBOTEN_ATTRS

Hey all,

I've found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS constants
let far too much malicious code into a page.

I'm not talking about ugly-- I'm talking about stuff like javascript
redirects Bad!

Since they're customizable, I have now:

ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i

(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)

It would be nice if these modifications made it into the trunk, so no one
else has the problems I've seen in production.

Justin Dossey wrote:

Hey all,

I've found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS constants
let far too much malicious code into a page.

I'm not talking about ugly-- I'm talking about stuff like javascript
redirects Bad!

Since they're customizable, I have now:

ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i

(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)

It would be nice if these modifications made it into the trunk, so no one
else has the problems I've seen in production.

--
Justin Dossey

Then submit a patch to the rails trac....

dev.rubyonrails.org

_Kevin