Hey all,
I’ve found that the standard VERBOTEN_TAGS and VERBOTEN_ATTRS constants
let far too much malicious code into a page.
I’m not talking about ugly-- I’m talking about stuff like javascript
redirects Bad!
Since they’re customizable, I have now:
ActionView::Helpers::TextHelper::VERBOTEN_TAGS=%w{frame form script
iframe meta}
ActionView::Helpers::TextHelper::VERBOTEN_ATTRS=/^(on|dynsrc)/i
(the dynsrc attribute can be added to an img tag, and popular browsers
will then execute javascript in the attribute.)
It would be nice if these modifications made it into the trunk, so no
one
else has the problems I’ve seen in production.
–
Justin Dossey