I am trying to implement the Safe Erb Plugin in my rails 2.0.2 app. I am using this version for project specific purposes along with Ruby 1.8.7.
I have referred to the following tutorials:
http://www.railslodge.com/plugins/430-safe-erb http://agilewebdevelopment.com/plugins/safe_erb
I could make only some sense of the above Url's as I am a newbie to Rails and Rails related plugins. I honestly also found the above tutorials to be very generic.
I really also couldn't relate this plugin's use to a great extent in terms of real world sense from the above tutorials. Could you please enlighten me on its usage on a day to day real world....?
I have implemented a books appl which has an author, title and publishing date. I am currently facing issues implementing the taint feature of this plugin
In the second tutorial, they say we need to call the tainted? method from the Objects class. I have done this in my create method of my books_controller.rb. The code for the create method looks like this:
def create
@book = Book.new(params[:book])
@book.publishing_date = params[:publishing_date]
respond_to do |format|
if @book.save
flash[:notice] = 'Book was successfully created.'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
if @book.tainted?
flash[:notice] = 'Books are tainted'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
flash[:notice] = 'Books aren\'t tainted'
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
end
Upon creating a new book record I get a notice saying that "Books aren't tainted". I have copied this plugin into my vendor/plugins directory.
As per the second tutorial url they say "The string becomes tainted when it is read from IO, such as the data read from the DB or HTTP request."
But its not happening in my case when I try to create a new book record. Do I need to explicitly taint the string input I am taking(its currently in varchar as per DB types - I guess that shouldn't be an issue). If yes could you please tell me how to do it.
OR
if its not the above case.. Am I missing something?
Any insights on this would be really appreciated.
Thank you..
To begin with, if you can move on to rails 3 and ruby 1.9.2, please do so. It will almost certainly be worth the effort. Rails 2.0.2 was released in 2007 and is at least 3 years old. Rails 3 provides better protection than this plugin, right out of the box.
Having said that, safe-erb appears to be providing some xss protection. Going through the version of the plugin at https://github.com/abedra/safe-erb, you won't need to do anything special anywhere in your app to get it to work. Just install the plugin in vendor/plugins and you are good to go. Your controller should look just like it would without the plugin. You can do away with the if tainted block.
The way this plugin works is by hooking into various parts of the rails processing queue and doing some taint management to make your views automatically throw an error whenever there is unescaped user text. To use it, you don't need to do anything in your models and controllers. In your views, make sure that data is passed through
hbefore being displayed.