I am using Rails3 with tinymce. How to introduce user to close javascript browser, then enter xss?

Question

I am using Rails3 with tinymce. How to introduce user to close javascript browser, then enter xss?

I have a website written by Rails3. My message model has a text column naming "content". In the message panel, the html form sets the "content" column in the textarea field with a tinim. On the first page, because of the use of tinymce, the post.html.erb code must be implemented using a raw method, for example, <%= raw @post.content %> .

Ok, now if I close the browser javascript, this text box can be entered without tinymce, and perhaps the user will enter any xss, like <script>alert('xss');</script> . My front will show this warning window.

I am trying to sanitize(@post.content) in posts_controller, but the sanitize method will filter the tinymce style with each other. For example, <span style='color:red;'>foo</span> becomes <span>foo</span> .

My question is: how to filter xss input and keep tinymce style at the same time?

+6

ruby ruby-on-rails tinymce xss

Jcrt Jun 20 '11 at 9:56

source share

1 answer

jdeseno · Accepted Answer · 2011-06-20T15:32:39+0000

The sanitizer can be customized to have a style attribute. In config/application.rb add:

 config.action_view.sanitized_allowed_attributes = ['style']

The sanitize method also has default values for which css properties and keywords allow. See sanitizer.rb allowed_css_properties and allowed_css_keywords for a list of default values.

To add some that are currently not allowed, add this to your config/application.rb :

 config.action_view.sanitized_allowed_css_keywords = ['puke']

-

If you are doing something more complex than this, you need to write some code. I do not recommend doing this from scratch, check out the Loofah Gem for a good library for writing html scrubbers.

I am using Rails3 with tinymce. How to introduce user to close javascript browser, then enter xss?

More articles: