link_to中的XSS Unsafe参数值

时间:2016-01-19 01:51:28

标签: ruby ruby-on-rails-4 xss

Code Climate在html.haml之一的代码行中给出了一个“Cross Site Scripting”错误:

- (EventHandlerRef)handlerRef {

    if ( handlerRef == nil ) {
       NSAssert( InstallEventHandler(GetApplicationEventTarget(),
                                     &EventHandler,
                                      0,
                                      nil,
                                      self,
                                      &handlerRef ) == noErr, @"handlerRef" );
    }

    return handlerRef;
  }

  // this is a Carbon callback that the OS invokes when your app gets
  // a hotkey event that must be handled by you
  OSStatus EventHandler( EventHandlerCallRef inHandler,
                         EventRef inEvent,
                         void* inUserData )
 {
     EventHotKeyID hotKeyID;
     GetEventParameter( inEvent,
                        kEventParamDirectObject,
                        typeEventHotKeyID,
                        nil,
                        sizeof(EventHotKeyID,
                        nil,
                        &hotKeyID ) 

   // use this to get your MyOwnEventHandler object back if need be
   // the reason why we get this is because we passed self in InstallEventHandler
   // in Carbon event callbacks you cannot access self directly
   // because this is a C callback, not an objective C method
    MyOwnEventHandler* handler = (MyOwnEventHandler *)inUserData;

   // handle the hotkey here - I usually store the id of the EventHotKeyID struct
   // in a objective C hotkey object to look up events in an array of registered hotkeys

  return eventNotHandledErr; // return this error for other handlers to handle this event as well
}

// call this objective C wrapper method to register your Carbon Event handler
- (void)registerForGettingHotKeyEvents {
       const EventTypeSpec kHotKeysEvent[] = {{ kEventClassKeyboard,   kEventHotKeyPressed }};
       AddEventTypesToHandler( [self handlerRef], GetEventTypeCount(kHotKeysEvent), kHotKeysEvent );
    }

// call this objective C wrapper method to unregister your Carbon Event handler
- (void)unregisterFromGettingHotKeyEvents {
       const EventTypeSpec kHotKeysEvent[] = {{ kEventClassKeyboard,   kEventHotKeyPressed }};
       RemoveEventTypesFromHandler( [self handlerRef], GetEventTypeCount(kHotKeysEvent), kHotKeysEvent );
    }

在控制器中,@ redirect_uri是:

= link_to 'Next', @redirect_uri, data: { no_turbolink: true }, class: 'btn btn-primary'

params [:redirect_uri]是一个非常长的网址,其中包含重定向uri。

究竟出了什么问题?如何让Code Climate感到高兴?

1 个答案:

答案 0 :(得分:4)

Code Climate正在抱怨,因为您已将可能由用户提供的redirect_uri嵌入您的网页中。该URI可能是JavaScript,它将在用户单击链接时执行。由于用户点击了您页面呈现的链接,因此JS可以访问该页面,就像您自己编写代码一样,因此某些狡猾的人可以将您想要的各种信息泄露给用户和您的服务器有权访问。

尝试使用以下链接:

http://your.web.site/?redirect_uri=alert('Boom');

由于您已经加入Rails,因此您可以访问sanitize,它会为您清除URL的邪恶部分,我希望能够安静Code Climate。还有一些可能有帮助的SO问题:

相关问题
最新问题