Rails Plugin: sanitize_params
A while back, Tony wrote up a post on what we were doing to protect ourselves from XSS attacks. Today, I’m releasing that same basic chunk of code as a Rails plugin.
The gist of it is, we basically run everything in the params hash through Rick Olson’s excellent white_list plugin.
That’s it. Overkill? Possibly. However, it’s been working fantastic for us. And now, it can work for you.
Because XSS attacks are horrible, horrible thing and you never want to have to deal with it. Just ask Tony.
Get it here.
Special thanks to Jodi Showers for the initial plugin work.
Tags: code, opensource, rails, ruby
November 28th, 2007 at 2:46 am
Looks fine ! but unfortunately it doesn’t load…
This is what i get when server start :
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:32:in `gem_original_require’
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:32:in `require’
from path/vendor/rails/activesupport/lib/active_support/dependencies.rb:495:in `require’
from path/vendor/rails/activesupport/lib/active_support/dependencies.rb:342:in `new_constants_in’
from path/vendor/rails/activesupport/lib/active_support/dependencies.rb:495:in `require’
from path/vendor/rails/railties/lib/commands/server.rb:39
November 28th, 2007 at 10:14 am
@head:
It looks to me like you still need to install the white_list plugin, which sanitize_params uses. Check the README file. If you still have any issues, send me an email.
November 29th, 2007 at 5:01 pm
just to follow up, if I try to run either white_list or sanitize_params alone, my app loads, with both plugins it fails to load
Rails 1.2.5
App loads with:
config.plugins = %W( white_list )
App loads with:
config.plugins = %W( sanitize_params )
App does not load with:
config.plugins = %W( white_list, sanitize_params )
December 3rd, 2007 at 12:59 am
@greg:
You are correct, sir. It wasn’t working on 1.2.5. I took a quick peek and it is fixed in the current revision. Let me know if you have any other problems.
January 21st, 2008 at 3:41 am
Will there be any further development on this plugin ?
And is this plugin Rails 2 compatible ?
January 21st, 2008 at 1:26 pm
@Moritz:
Yeah, the plugin is Rails 2 compatible. I’ll update the docs to say so.
As far as additional development, we’re using it and others are as well, but it is essentially feature complete- sanitize_params sets out to do one thing and do it well. If you’ve enhanced it in any way, though, I’d love to hear about it.
March 17th, 2008 at 10:18 am
I’m still having the problem with the plugin. Does the plugin actually run on rails 1.2.6. I get following errors:
=> Booting Mongrel (use ’script/server webrick’ to force WEBrick)
=> Rails application starting on http://0.0.0.0:3000
=> Call with -d to detach
=> Ctrl-C to shutdown server
** Starting Mongrel listening at 0.0.0.0:3000
** Starting Rails with development environment…
Exiting
/usr/local/lib/ruby/gems/1.8/gems/rails-1.2.6/lib/commands/servers/mongrel.rb:15: warning: already initialized constant OPTIONS
/usr/local/lib/ruby/gems/1.8/gems/rails-1.2.6/lib/commands/servers/mongrel.rb:18: undefined method `options’ for []:Array (NoMethodError)
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:32:in `gem_original_require’
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:32:in `require’
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-1.4.4/lib/active_support/dependencies.rb:495:in `require’
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-1.4.4/lib/active_support/dependencies.rb:342:in `new_constants_in’
from /usr/local/lib/ruby/gems/1.8/gems/activesupport-1.4.4/lib/active_support/dependencies.rb:495:in `require’
from /usr/local/lib/ruby/gems/1.8/gems/rails-1.2.6/lib/commands/server.rb:39
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require’
from /usr/local/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require’
from script/server:3
I appreciate your help.