简体繁体 English

我的Rails 3应用程序需要接受html数据，并安全显示它！如何减少安全隐患？

[英]my rails 3 app needs to accept html data, and display it but safely! how to minimize security perils?

原文 2011-02-25 05:54:44 3 1 ruby-on-rails/ security/ http-post

One of the features of my app is to permit a user to add their facebook or twitter 'button' to their profile. 我的应用程序的功能之一是允许用户将其Facebook或Twitter“按钮”添加到其个人资料中。

The 'obvious' approach is give them a text_area field, have them paste the facebook or twitter 'code', then on their profile display raw fbk_button_field and raw twitter_button_field “显而易见”的方法是给他们一个text_area字段，让他们粘贴facebook或twitter的“ code”，然后在他们的配置文件上显示raw fbk_button_field和raw twitter_button_field

(Facebook is an iframe, twitter is a reference to remote ajax). （Facebook是iframe，twitter是对远程Ajax的引用）。

But obviously a user could paste anything into that field, and I'm assuming Thats A Pretty Bad Thing that leaves the system open to a variety of exploits. 但是显然用户可以将任何内容粘贴到该字段中，并且我认为那是一件相当糟糕的事情，这会使系统对各种漏洞利用开放。

So what is the right way to permit users to add 'social buttons' to their profile, without being able to insert an exploit instead. 因此，什么是允许用户在其个人资料中添加“社交按钮”而又不能插入漏洞利用的正确方法。

1 个解决方案

The most secure solution would be to have them enter their Twitter or Facebook account and recreate the button yourself. 最安全的解决方案是让他们输入其Twitter或Facebook帐户并自己重新创建按钮。 That way you can easily strip HTML from the account name and you don't have to worry. 这样，您可以轻松地从帐户名中删除HTML，而不必担心。

While the above is ideal, you could also use something like the sanitize gem to strip out HTML tags and attributes. 尽管上面的方法很理想，但您也可以使用诸如sanitize gem之类的东西来去除HTML标签和属性。