Security: Form Tokens and HTML Santizing
September 23rd, 2007
Two important security updates today:
HTML White Lists
The #sanitize, #strip_tags, and #strip_links methods for views have been beefed up, with functionality merged into Rails from the white_list plugin, a much stricter way of dealing with suspect input.
Previously these helpers acted more as blacklists, and it has been fairly easy to slip past them.
The new helpers allow customization, you can change what is allowed from the defaults.
Cross Site Request Forgery
This change adds a hidden form element to all non-GET requests. The token is based on the user's session, and prevents other sites from showing users forms which will submit to your app.
This was originally the csrf_killer plugin, and you can find more details about it at Active Reload.
About This Site
This is the blog of Jim Lindley, a 28 year old web developer in Buffalo, NY.
Sorry, comments are closed for this article.