[rails] plugin: sanitize_attributes

I’ve made a Rails plugin, sanitize_attributes, and (after some help from jnichols at a recent Boston.rb hackfest) I’m happy to share it. It’s a rather small plugin, adding a light DSL to ActiveRecord models to quickly define pre-save data sanitization.

This came out of some work I was doing to fight cross-site scripting (XSS) attacks. Once the plugin was done, adding sanitization was a snap:

class Comment
  sanitize_attributes :title, :body, lambda{|text| Sanitize.clean(text)}
end

The gem I’m referencing above is rgrove’s Sanitize gem. I prefer it to the built in Rails sanitization because it uses Hpricot (a true C-based parser) in the background. For fighting XSS attacks, if you’re not parsing/rewriting the HTML versus a conservative whitelist, you’re not actually sanitizing anything.

Relatedly, I’m working on lighting-talk about anti-XSS techniques that I could share at Boston.rb. I wouldn’t suggest that I’m a security guru, but there’s definitely some knowledge I want to share, and nobody wants to learn this the hard way.

Post a comment Post a CommentTrackback URI Trackback URI

XML RSS 2.0 feed for these comments

This entry (permalink) was posted on Thursday, March 12th, 2009 at 7:25 PM by dev and categorized in Uncategorized.

Post a Comment

*Required
*Required (Never published)
 
« [rails] quickie script for killing ./script/server
[AdaLovelaceDay] and how to code with integrity »
Home