High Tech Sorcery

Archive for August, 2010

Playing with Rails XSS protection

by on Aug.23, 2010, under Ruby On Rails

So in Rails 3 xss is protection is built in.  This is good.  In fact, I’ve wanted to see this since I first start coding rails in the 1.x days.  I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem.  Switching over I found lots of problems where strings which should be safe are being escaped.  Of course I can easily mark the string as safe but I wanted to learn why this was happening.  I found that the join method does not seem to keep strings safe.

>> ("foo".html_safe + "bar".html_safe).html_safe?
=> true
>> ("foo".html_safe << "bar".html_safe).html_safe?
=> true
>> ["foo".html_safe, "bar".html_safe].join.html_safe?
=> nil
>> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe?
=> nil

I’ve also noticed that mail_to does not return an html_safe string.  It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.

Leave a Comment more...

Kernel patches I’m hoping to see in Ubuntu 10.10

by on Aug.16, 2010, under Sysadmin

I’m planning on buying/building a new computer and I think I will install Ubuntu 10.10 on it.  My plan is to use btrfs for the first time.  Risky, but I will be taking nightly backups.  However, Ubuntu 10.10 is planning on shipping with the Linux 2.6.35 which has a severe btrfs performance regression as documented here:

But besides that I’m also hoping that the I/O performance situation will be improved.  It has been very difficult to track down where the bug is but I have certainly experienced it.  I haven’t tested the patches but if they work I hope they find there way into Ubuntu 10.10

Leave a Comment more...

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Blogroll

A few highly recommended websites...