From 3eaa9272b12aa2c568f7595b99bf7aa4a62ff92f Mon Sep 17 00:00:00 2001 From: Andrew Cantino Date: Sat, 7 Sep 2013 00:34:51 -0700 Subject: [PATCH] Prevent some possible XSS attacks where user input makes its way into JSON and contains tags. --- .../peak_detector_agent/_show.html.erb | 6 ++--- .../twitter_stream_agent/_show.html.erb | 4 ++-- app/views/agents/show.html.erb | 4 ++-- app/views/events/show.html.erb | 2 +- lib/utils.rb | 16 ++++++++++++-- spec/lib/utils_spec.rb | 22 +++++++++++++++++++ 6 files changed, 44 insertions(+), 10 deletions(-) diff --git a/app/views/agents/agent_views/peak_detector_agent/_show.html.erb b/app/views/agents/agent_views/peak_detector_agent/_show.html.erb index 29cb8921..cc9b341c 100644 --- a/app/views/agents/agent_views/peak_detector_agent/_show.html.erb +++ b/app/views/agents/agent_views/peak_detector_agent/_show.html.erb @@ -17,9 +17,9 @@ in the valid JSON can break the page and allow XSS attacks. + # Optionally, pass `:skip_safe => true` to not call html_safe on the output. + def self.jsonify(thing, options = {}) + json = thing.to_json.gsub(' { :bar => "escape this!?" }}, "escape $.foo.bar").should == ["escape+this%21%3F"] end end + + describe "#jsonify" do + it "escapes tags in the output JSON" do + cleaned_json = Utils.jsonify(:foo => "bar", :xss => "") + cleaned_json.should_not include("") + cleaned_json.should include("<\\/script>") + end + + it "html_safes the output unless :skip_safe is passed in" do + Utils.jsonify({:foo => "bar"}).should be_html_safe + Utils.jsonify({:foo => "bar"}, :skip_safe => false).should be_html_safe + Utils.jsonify({:foo => "bar"}, :skip_safe => true).should_not be_html_safe + end + end + + describe "#pretty_jsonify" do + it "escapes tags in the output JSON" do + cleaned_json = Utils.pretty_jsonify(:foo => "bar", :xss => "") + cleaned_json.should_not include("") + cleaned_json.should include("<\\/script>") + end + end end \ No newline at end of file