Archive for August, 2010
So in Rails 3 xss is protection is built in. This is good. In fact, I’ve wanted to see this since I first start coding rails in the 1.x days. I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem. Switching over I found lots of problems where strings which should be safe are being escaped. Of course I can easily mark the string as safe but I wanted to learn why this was happening. I found that the join method does not seem to keep strings safe.
1 2 3 4 5 6 7 8
>> ("foo".html_safe + "bar".html_safe).html_safe? => true >> ("foo".html_safe << "bar".html_safe).html_safe? => true >> ["foo".html_safe, "bar".html_safe].join.html_safe? => nil >> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe? => nil
I’ve also noticed that mail_to does not return an html_safe string. It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.
I’m planning on buying/building a new computer and I think I will install Ubuntu 10.10 on it. My plan is to use btrfs for the first time. Risky, but I will be taking nightly backups. However, Ubuntu 10.10 is planning on shipping with the Linux 2.6.35 which has a severe btrfs performance regression as documented here:
But besides that I’m also hoping that the I/O performance situation will be improved. It has been very difficult to track down where the bug is but I have certainly experienced it. I haven’t tested the patches but if they work I hope they find there way into Ubuntu 10.10