I had some coffee a bit too late yesterday and it inspired me to a boost of productivity on xss_terminate, my plugin that escapes HTML from your models when you save them.
xss_terminate now supports Rails 2.2. It is backwards compatible with Rails 2.0 and 2.1.
I also moved the plugin source to GitHub, and incorporated a bug fix from redinger.
You can install it using
script/plugin install git://github.com/look/xss_terminate.git
Thanks, Luke! I’m going to be upgrading Co-op to Rails 2.2 in the next couple weeks and this will help a bunch.
I wrote about the same plugin a few months ago. http://github.com/joevandyk/fixie_whitelister
It automatically sanitizes the stuff in the request params.
Link to Fixie Whitelister
Cool, Joe. My plugin works similarly but it sanitizes in before_save.
Another good one (especially for paranoiacs) is Cross Site Sniper. It sanitizes on the way out of the database. You can use it in combination with sanitizing on the way in for double protection.
Hi Luke,
Your plugin works like a charm and is a must have for everyone. Thanks for having kept it maintained and having hosted it at github.
Best regards,
Crap! That plugin is not maintained or badly! I updated my website, and in production mode I get the following error message:
NameError (uninitialized constant XssTerminate::InstanceMethods::RailsSanitize):
I was really pissed off.
I have found the following ‘related’ issue and fix:http://code.google.com/p/xssterminate/issues/detail?id=3#c0
So does it work or shall I simply move on to another plugin, or better, write my own?
Sorry for being so harsh yesterday. I wanted to do the last update of the year, and it got me nervous when I saw my website crash due to xss_terminate just before celebrating the new year. If I find the cause of the problem I will submit a patch.
Best wishes for 2009
On this blog: monkey island code , I have found a way to fix the bug. You have to put the following code in an initializer: @ RailsSanitize.class_eval do
end @
Thomas, if you read the blog post you’ll note that one of the changes I just made was Rails 2.2 compatibility.
You can get the Rails 2.2 compatable code from GitHub like this:
script/plugin install git://github.com/look/xss_terminate.git
Hi Luke,
If checked out your github code, and it still doesn’t work out of the box in production mode when I submit data through a POST request. I still need to add the initializer I talked about in my previous comment. Maybe your github code is not in sync with your latest code?
Best regards,
Please submit a bug to the issue tracker: http://code.google.com/p/xssterminate/issues/list
Include the stack trace and what version of Rails you are using.
I have to say that I am using this in production in Rails 2.0.5, 2.1.2 and 2.2.2 with no problems.
Hi Luke,
I tested using a freshly scaffolded rails app, and it worked without the initializer. There might be an incompatibility with one of my other plugins.
If I found which one, I’ll let you know.