Safe Erb 插件实施问题
我正在尝试在我的 Rails 2.0.2 应用程序中实现 Safe Erb 插件。我是 将此版本与 Ruby 1.8.7 一起用于项目特定目的。
我参考了以下教程:
http://www.railslodge.com/plugins/430 -安全-erb http://agilewebdevelopment.com/plugins/safe_erb
我只能对上述网址有一些了解,因为我是新手 Rails 和 Rails 相关插件。老实说我也发现了上面的内容 教程非常通用。
我真的也无法在很大程度上从上述教程的现实世界意义角度联系这个插件的使用。您能否告诉我它在日常现实世界中的用法......?
我已经实现了一个图书应用程序,其中包含作者、标题和 发布日期。我目前面临实施污点的问题 这个插件的功能
在第二个教程中,他们说我们需要调用 tainted?方法 来自对象类。我已经在我的创建方法中完成了此操作 books_controller.rb。 create 方法的代码如下所示:
def create
@book = Book.new(params[:book])
@book.publishing_date = params[:publishing_date]
respond_to do |format|
if @book.save
flash[:notice] = 'Book was successfully created.'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
if @book.tainted?
flash[:notice] = 'Books are tainted'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
flash[:notice] = 'Books aren\'t tainted'
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
end
在创建新的图书记录时,我收到一条通知,指出“图书没有被污染”。我有 将此插件复制到我的供应商/插件目录中。
根据第二个教程网址,他们说“当 它是从 IO 读取的,例如从 DB 或 HTTP 请求读取的数据。”
但在我尝试创建新的图书记录时,这种情况并没有发生。 我是否需要显式污染我正在获取的字符串输入(当前 根据数据库类型在 varchar 中 - 我想这不应该是问题)。如果是 你能告诉我该怎么做吗?
或者
如果不是上述情况..我错过了什么吗?
对此的任何见解都将非常感激。
谢谢..
I am trying to implement the Safe Erb Plugin in my rails 2.0.2 app. I am
using this version for project specific purposes along with Ruby 1.8.7.
I have referred to the following tutorials:
http://www.railslodge.com/plugins/430-safe-erb
http://agilewebdevelopment.com/plugins/safe_erb
I could make only some sense of the above Url's as I am a newbie to
Rails and Rails related plugins. I honestly also found the above
tutorials to be very generic.
I really also couldn't relate this plugin's use to a great extent in terms of real world sense from the above tutorials. Could you please enlighten me on its usage on a day to day real world....?
I have implemented a books appl which has an author, title and
publishing date. I am currently facing issues implementing the taint
feature of this plugin
In the second tutorial, they say we need to call the tainted? method
from the Objects class. I have done this in my create method of my
books_controller.rb. The code for the create method looks like this:
def create
@book = Book.new(params[:book])
@book.publishing_date = params[:publishing_date]
respond_to do |format|
if @book.save
flash[:notice] = 'Book was successfully created.'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
if @book.tainted?
flash[:notice] = 'Books are tainted'
format.html { redirect_to(@book) }
format.xml { render :xml => @book, :status => :created,
:location => @book }
else
flash[:notice] = 'Books aren\'t tainted'
format.html { render :action => "new" }
format.xml { render :xml => @book.errors, :status =>
:unprocessable_entity }
end
end
Upon creating a new book record I get a notice saying that "Books aren't tainted". I have
copied this plugin into my vendor/plugins directory.
As per the second tutorial url they say "The string becomes tainted when
it is read from IO, such as the data read from the DB or HTTP request."
But its not happening in my case when I try to create a new book record.
Do I need to explicitly taint the string input I am taking(its currently
in varchar as per DB types - I guess that shouldn't be an issue). If yes
could you please tell me how to do it.
OR
if its not the above case.. Am I missing something?
Any insights on this would be really appreciated.
Thank you..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
首先,如果您可以继续使用 Rails 3 和 ruby 1.9.2,请这样做。这几乎肯定是值得的。 Rails 2.0.2 于 2007 年发布,已有至少 3 年历史。 Rails 3 提供了比该插件更好的保护,开箱即用。
话虽如此,safe-erb 似乎提供了一些 xss 保护。查看插件的版本 https://github.com/abedra/safe-erb ,您无需在应用程序中的任何地方执行任何特殊操作即可使其正常工作。只需在供应商/插件中安装插件即可。您的控制器应该看起来就像没有插件一样。您可以删除 if tainted 块。
该插件的工作方式是挂接到 Rails 处理队列的各个部分并进行一些污点管理,以使您的视图在存在未转义的用户文本时自动抛出错误。要使用它,您不需要在模型和控制器中执行任何操作。在您的视图中,确保数据在显示之前通过
h传递。To begin with, if you can move on to rails 3 and ruby 1.9.2, please do so. It will almost certainly be worth the effort. Rails 2.0.2 was released in 2007 and is at least 3 years old. Rails 3 provides better protection than this plugin, right out of the box.
Having said that, safe-erb appears to be providing some xss protection. Going through the version of the plugin at https://github.com/abedra/safe-erb, you won't need to do anything special anywhere in your app to get it to work. Just install the plugin in vendor/plugins and you are good to go. Your controller should look just like it would without the plugin. You can do away with the if tainted block.
The way this plugin works is by hooking into various parts of the rails processing queue and doing some taint management to make your views automatically throw an error whenever there is unescaped user text. To use it, you don't need to do anything in your models and controllers. In your views, make sure that data is passed through
hbefore being displayed.