safe_erb

Automatically detect improperly escaped text in ERB templates

MIT License

Downloads
8.8K
Stars
16
Committers
2
View Code on GitHub Visit Website
Ecosystems: Ruby

= Safe ERB

== Overview

Safe ERB lets you make sure that the string written by "<%= %>" in your rhtml template is escaped correctly. If you try to show the attributes in the ActiveRecord instance read from the database or the parameters received from the request without escaping them using "h" method, an exception will be raised. This will significantly reduce the possibility of putting cross-site scripting vulnerability into your web application.

The check is done using "tainted?" method in Object class which is a standard feature provided by Ruby - the string is "tainted" when it is read from IO. When ERB::Util#h method is called, this plugin "untaints" the string, and when "<%= %>" is called in your rhtml template, it raises an exception if the string you are trying to show is tainted.

== About this version of Safe ERB

This fork of Safe ERB has been modified to work with Mephisto under Rails 2.2. It may work with other Rails applications. Patches are welcome!

== Installation

Just put this plugin into vendor/plugins directory in your Rails application. No configuration is needed.

This version of Safe ERB has been tested with Mephisto under Rails 2.2. It has been tested with SQLite3, and there's a decent chance it should work with PostgreSQL and MySQL (and any other database which properly taints the data returned from the database).

== Details

The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request. However, the request parameters are not tainted in functional and integration tests, and also if your server is Mongrel. Hence this plugin installs before_filter into ActionController::Base that always taints request parameters and cookies.

The returned values from the following methods become untainted:

  • ERB::Util#h
  • ActionView::Helpers::TagHelper#escape
  • ActionView::Helpers::TextHelper#strip_tags

Also, you can always untaint any string manually by calling "untaint" method (standard Ruby feature).

Several ActionView helpers have also been modified to untaint their return values. This is a temporary measure to get things working with Mephisto. See the source for details.

== Contact

The orignal safe_erb plugin was written by Shinya Kasatani .

This forked version was written by Eric Kidd, based on work by Matthew Bass.

Package Rankings
Top 28.78% on Rubygems.org
Related Projects
rails_best_practices

a code metric tool for rails projects

03 Nov 2009 4,139
html5_validators

A gem/plugin for Rails 3, Rails 4, Rails 5, and Rails 6 that enables client-side validation using...

16 May 2011 304
himl

HTML-based Indented Markup Language for Ruby

17 Mar 2019 234
zen-rails-security-checklist

Checklist of security precautions for Ruby on Rails applications.

10 Apr 2017 1,811
mongrel-esi

An ESI enabled proxy caching server.

21 Mar 2009 12
kazan

Kazan creates rails project and setups predefined gems and tools. Env settings, Spec tools, Datab...

09 Oct 2016 26
vite-plugin-erb

Use ERB files in Vite.js projects with a Ruby backend

06 May 2021 5
effigy

Ruby views without a templating language

06 Oct 2009 206
erbse

Next-generation ERB.

25 May 2015 48
erblint-github

Template style checking for GitHub's Ruby projects

19 Oct 2021 43
vscode_rails_syntax

Rails Syntax Highlighting for Visual Studio Code

07 Mar 2020 13
request_exception_handler

Rails gem/plugin for dealing with request parameter parsing exceptions

06 Sep 2009 37
string_template

A template engine for Rails, focusing on speed, using Ruby's String interpolation syntax

28 Dec 2017 125
erbal

Very small, very fast Ragel/C based ERB parser

02 Sep 2009 29
params_sanitizer

A dead simple plugin that sanitizes user provided data when it's sent to your server instead of d...

09 Nov 2009 8