undefined | Better HN

0 pointsryanlol10y ago0 comments

I'm not sure how who he is or what he does is at all relevant here.

Especially considering that he makes pretty obvious factual errors, e.g:

>[CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You're safe if you use a single page application that properly encode for you. Stripping tags isn't the best way anyway to filter XSS, so if you're encoding, you're good.

If you don't want any HTML you aren't supposed to be using rails-html-sanitizer, it's specifically for scenarios where you can't do that.

0 comments

andersonmvd10y ago

True, but there are better alternatives in some situations, e.g., bbcode or markdown processing rather than stripping tags. The point for such scenarios is that whitelist is better than blacklist.

dsp123410y ago

The point for such scenarios is that whitelist is better than blacklist.

from CVE-2015-7580:

Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer

So people are using a whitelist, and this bug is in that whitelist. In other words, people are "doing the right thing" and are still vulnerable.

makomk10y ago

BBcode can go pretty horrifically wrong from a security perspective because you're still generating HTML markup based on unstructured, untrusted user input. There's a long and nasty history of XSS issues in forums that use BBcode where clever use of mismatched markup has made it possible to break the HTML generator enough to inject JavaScript and other nasties.

ryanlolOP10y ago

Absolutely, bbcode and markdown processing are significantly better alternatives.

Also, I'm pretty sure you're specifically supposed to use rails-html-sanitizer with a whitelist. (See: Rails::Html::WhiteListSanitizer)

j / k navigate · click thread line to collapse