adding security misconfig text

2013-11-12 18:53:28 -05:00
parent 655b636c38
commit fe9d8b266f
5 changed files with 106 additions and 5 deletions
@@ -0,0 +1,80 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A6 - Security Misconfiguration
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
+            <div class="accordion-inner">
+              Another one of the Rails security configurations relates to escaping HTML entities in JSON.
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
+            <div class="accordion-inner">
+              <p>When the following setting is set to false, HTML entities in JSON response will not be encoded.<p>
+               <p>
+            <pre class="ruby">
+            <%= %q{
+              ActiveSupport::escape_html_entities_in_json = false
+            } %>
+         </pre>
+         </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
+            <div class="accordion-inner">
+            <p>Edit the html_entities file at config/initializers/html_entities.rb and set the following to true.</p>
+            <p><pre class="ruby">
+            <%= %q{
+              ActiveSupport::escape_html_entities_in_json = true
+            } %>
+            </pre></p>
+            <p>Once the initializer is edited and the application is restarted, any HTML entities in JSON responses will be encoded.</p>
+            </div>
+          </div>
+        </div>
+      	<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
+            <div class="accordion-inner">
+             Think HTML entities, escaping and initializers. 
+            </div>
+          </div>
+        </div>
+	</div>
+    </div>
+  </div>