Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Avoid usage of html_safe #305

Merged
merged 4 commits into from
May 11, 2018
Merged

Avoid usage of html_safe #305

merged 4 commits into from
May 11, 2018

Conversation

tijmenb
Copy link
Contributor

@tijmenb tijmenb commented May 11, 2018

This is a follow up to an incident last month where we found a XSS vulnerability caused by html_safe being called on untrusted user input (see alphagov/finder-frontend#480 and follow ups).

To avoid recurrence, this PR makes sure that 1) we're never calling html_safe so that everything is escaped by default, 2) we can't use it anymore. This makes escaping and calling html_safe the exclusive responsibility of the application.

See the individual commits for details.

@tijmenb tijmenb temporarily deployed to govuk-publishing-compon-pr-305 May 11, 2018 06:46 Inactive
it "doesn't use `html_safe`" do
files_with_html_safe = `grep -rni "html_safe" app/views/govuk_publishing_components/components`.lines

expect(files_with_html_safe).to be_empty
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙏

Copy link
Contributor

@sihugh sihugh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It needs a rebase to resolve the conflict in CHANGELOG.md. If you're doing that, could you fix the link to http://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html in the commit message for the to_sentence view helper? It's wrapped over two lines and confused me for a second when I followed it and it didn't work.

Looks great otherwise 👍

tijmenb added 4 commits May 11, 2018 10:04
The `to_sentence` helper knows about safe and unsafe HTML and will
escape the unsafe input and not safe input like `hidden_links`.

See:

http://api.rubyonrails.org/classes/ActionView/Helpers/OutputSafetyHelper.html#method-i-to_sentence
This means the application will have to call `html_safe` on the thing
itself. This seems to only be used by the `frontend` application.
Now that we've removed all `html_safe` from the components we can add a
test to make sure we don't add it back.
@tijmenb tijmenb merged commit 76c2aa7 into master May 11, 2018
@tijmenb tijmenb deleted the no-html-safe branch May 11, 2018 10:10
@andysellick andysellick mentioned this pull request May 15, 2018
NickColley added a commit that referenced this pull request Jul 31, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Jul 31, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
NickColley added a commit that referenced this pull request Aug 1, 2018
To see what led to this decision see:

- [an incident involving multiple components](#305)
- [a potential vulnerability with the govspeak component](#356).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants