9

In a similar Rails app, I was able to make a recursive Hash-checking function which then runs the Sanitize gem's clean/fragment method to remove any HTML elements from incoming params hash. I used a before filter in the application_controller so everything gets scrubbed app-wide (it's a big app).

Backstory: XSS attacks were possible, particularly in IE browsers, but really we just don't want any of this stuff being saved into the database anyway. Though the ultimate goal was that JSON output didn't contain it.

I tried to do the same thing in a Sinatra app (which has some ActiveSupport and JRuby ActiveRecord bundled in), but the Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

Are there any alternative ways I can think about

1) Sanitizing all incoming params into a (JRuby) Sinatra app

And if not, a lesser option:

2) make it so all JSON that is parsed sanitizes values in said JSON attribute-value lists?

PS - Part of the issue here is that an included local gem, which handles a lot of the params and does JSON rendering, is proving impossible to debug. I'll include Pry in both the host app, and the locally linked gem, and when I try to Pry into the Gem, I can't view the params hash (it just shows as empty)–there seems to be an issue of scope.

rcd
  • 1,348
  • 1
  • 14
  • 27

3 Answers3

1

Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

seems wrong as Nokogiri works in JRuby (has a -java specific gem), try a bundle update nokogiri so that you get Sanitize to play nicely ...

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

again, too bad. maybe post details on you gem versions and the failures you run into. although the preferred option, I believe, would be to get something that worked under MRI working under JRuby - thus I would try again to use Nokogiri.

kares
  • 7,076
  • 1
  • 28
  • 38
  • I was able to get Nokogiri to build with JRuby, but the Sanitize gem's gemspec also has a specific dependency on Nokogumbo, set at version 1.4.1, and that would not build with JRuby, so that is where the Sanitize gem seemed to fail to be an option. – rcd Dec 19 '15 at 04:25
  • you should have been more accurate in the question: *Sanitize needs Nokogiri, which in turn needs Nokogumbo* which I understood wrong. so the options left are build a Nokogumbo compatible interface e.g. using a "native" [Java HTML parser](http://java-source.net/open-source/html-parsers) (writing a JRuby extension or using JRuby's Java scripting integration) or migrate to a different library as you attempted. both are not really for a SO answer but more of real-world coding session :) – kares Dec 19 '15 at 10:23
0

Per Sinatra, there are 2 good ways of escaping. Both are mentioned on the website. http://www.sinatrarb.com/faq.html#escape_html

1) Using Rack. The op mentioned that it was blowing up the app. Could you please explain more? Meanwhile, to use the rack method, you can use the following code snippet. Once the param has been cleaned, you can use that.

cleanedParam = Rack::Utils.escape_html(params[:some_param_name])

2) Using Erubis gem. The gem is written in pure ruby. Setup the erubis gem as follows:

require 'erubis'
set :erb, :escape_html => true

Once that is done, you can use erubis when outputing a template

erb :index
lsu_guy
  • 1,525
  • 15
  • 12
0

You can iterate through each of the parameters in the params hash and use Rack's escape_html method to escape HTML elements contained in each parameter.

params.each do |p, v|
  params[p] = Rack::Utils.escape_html(v)
end

The documentation for escape_html can be found here.

Richard Davis
  • 36
  • 5