Playing with Rails XSS protection

So in Rails 3 xss is protection is built in.  This is good.  In fact, I’ve wanted to see this since I first start coding rails in the 1.x days.  I have not started any Rails 3 projects yet but I have been playing with enabling this on a Rails 2.3.8 project by using erubis and the rails_xss gem.  Switching over I found lots of problems where strings which should be safe are being escaped.  Of course I can easily mark the string as safe but I wanted to learn why this was happening.  I found that the join method does not seem to keep strings safe.

>> ("foo".html_safe + "bar".html_safe).html_safe?
=> true
>> ("foo".html_safe << "bar".html_safe).html_safe?
=> true
>> ["foo".html_safe, "bar".html_safe].join.html_safe?
=> nil
>> ["foo".html_safe, "bar".html_safe].join(''.html_safe).html_safe?
=> nil

I’ve also noticed that mail_to does not return an html_safe string.  It appears to have been fixed in Rails 3 but not correct in the rails_xss gem.

Leave a Reply

Your email address will not be published. Required fields are marked *