After coming across Ticket 8864 I tried to play around a bit more with link tags. And guess what, they’re more broken than I ever thought. And it’s not just rails, but firefox too.
For example consider the following html code1 2 3 4 5 6 |
<html> <head><title>Seriously, wtf !?</head> <body> <href onMouseover="alert(document.location)">whatever </body> </html> |
This actually work in Firefox. But it looks fine(blank) in Safari/IE ( No I don’t use Windows. I asked a friend to check it. )
Result ? Applications that depend on strip_links() for stripping link tags are open to XSS attacks.
I feel this is a critical issue in firefox and it’s not just related to rails. And in very special cases, it could be really risky.
I’ve submitted my modified version of strip_links() patch anyways.
Wait and watch.
Don’t trust ANYTHING other than h(). There are a hundred ways of getting past “smart” HTML filtering and probably a hundred more that are yet to be discovered.