From 5056f7739545871faf36c91bb0614bc6e86c81b8 Mon Sep 17 00:00:00 2001 From: John Poulin Date: Tue, 8 Apr 2014 14:33:38 -0400 Subject: [PATCH] Added codefix example for CSS context XSS. --- app/controllers/application_controller.rb | 7 ++++++- app/views/layouts/application.html.erb | 2 +- app/views/layouts/shared/_header.html.erb | 4 ++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 56ad260..86c33e2 100755 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -1,7 +1,7 @@ class ApplicationController < ActionController::Base before_filter :authenticated, :has_info - helper_method :current_user, :is_admin? + helper_method :current_user, :is_admin?, :sanitize_font # Our security guy keep talking about sea-surfing, cool story bro. # protect_from_forgery @@ -45,4 +45,9 @@ class ApplicationController < ActionController::Base redirect_to home_dashboard_index_path if redirect end + def sanitize_font(css) + css + # css if css.match(/\A[0-9]+([\%]|pt)\z/) + end + end diff --git a/app/views/layouts/application.html.erb b/app/views/layouts/application.html.erb index 01d0022..9eb9896 100755 --- a/app/views/layouts/application.html.erb +++ b/app/views/layouts/application.html.erb @@ -9,7 +9,7 @@ <% if cookies[:font] %> - + <% end %> diff --git a/app/views/layouts/shared/_header.html.erb b/app/views/layouts/shared/_header.html.erb index 95f1b31..3a62d80 100755 --- a/app/views/layouts/shared/_header.html.erb +++ b/app/views/layouts/shared/_header.html.erb @@ -2,8 +2,8 @@ Font Size: - A - A + A + A