From the monthly archives:

September 2008

Ruby on Rails : Danger! Cross Site Scripting

by neil on September 10, 2008

Please note this blog has been moved to blog.platform45.com

Lets take a simple example:

You allow a user to enter his company name.
You then display his company name at the top of his profile page.

We fetch the company name from the database and display it:

 <%= user.company.name %>

When another user visits the attacker’s profile page. A javascript alert dialogue will be displayed.

The attacker may have read my post on popup dialogues and decided to annoy you with one. But be warned, far more malicious code could be injected.

Solution? Use ruby’s escape_html method.

This will replace all characters that could be used for malicious input. We could simply rewrite the code above as:

 <%= h user.company.name %>
# h is an alias for html_escape

You need to escape all strings that could contain malicious content.
It is easy to forget just one string making your entire application vulnerable.

Being forgetful. I use the Safe ERB plugin.

Once installed it will raise an exception on each output string not escaped using the h( ) method.

If you wish to allow a string with formatting you can use the untaint method

 <%= (user.company.name).untaint %>

Top 5 tools to increase productivity on your Mac

by neil on September 8, 2008

Please note this blog has been moved to blog.platform45.com

1. Quicksilver

Quicksilver allows you to search for and launch applications easily.

Quicksilver not only allows you to load items but also perform actions on those items.

Here I’m sending a file via email from the Quicksilver interface.

Download: Quicksilver

2. Fluid

There are internet applications that require more attention than just a simple browser tab. Fluid allows any WebApp to act like a desktop application.

Visit the fluid icons Flickr group Flickr group for a collection of dock icons.

Download: Fluid

3. Automator

Automator allows you to easily automate repetitive tasks without the complex programming normally required. A task is assembled by dragging individual actions into an Automator workflow. You can run your created workflow, share with others or even create plugins for applications.

Here I’ve created a plugin that automatically sets up my development environment.

Result: Applications needed are opened and the windows are positioned on screen.

4. TextExpander

TextExpander allows you to create abbreviations for commonly used text/image snippets.

Eg: I’ve assigned my blog URL to the abbreviation “tnt”. Whenever I type”tnt”, the full URL http://thenexttrain.co.za/ is inserted.

Download: TextExpander

5. KeyCue ( Shortcut Keys )

KeyCue gives you an instant overview of all the shortcut keys for any application.  Using shortcut keys will save you time. So next time you reach for the mouse, check to see if you can perform the same task with a shortcut key.

Download: KeyCue

{ 3 comments }