A gotcha when using cap and bundler:
“If deploy.rb does a require ‘auto_tagger’ and the auto_tagger gem is in the app’s bundle but not the system, running the system cap won’t find the auto_tagger gem. Using bin/cap runs the bundled cap and thus has access to all the gems in the bundle.”
XSS #1: There’s a huge cross-site scripting hole if you use the meta refresh tag…it has a “data” attribute into which you can insert arbitrary javascript.
XSS #2: Cross-site scripting resources, from an internal mailing list:
“I’ve gained a new appreciation for the importance of carefully thinking through security and escaping in RoR there’s more than just h()’ing all your user entered data.”
XSS vulnerabilities – http://ha.ckers.org/xss.html.
Very useful catalog of different XSS vectors. Includes some utilities to base64-, URL- and hex- encode attacks so you can test out your apps.
General OWASP wiki – http://www.owasp.org/index.php/Main_Page. Lots of useful data information here. OWASP is a nonprofit group charted to improve the security of webapps in general.
Security Guide for RoR -
http://www.lulu.com/product/download/owasp-ruby-on-rails-security-guide/4489819 general guidelines/things to think about for securing RoR apps.
Loofah – http://github.com/flavorjones/loofah is supported by a fellow Pivot and provides fast and good sanitization built on Nokogiri, albeit slightly slower on short strings than brittle regular expressions. It’s in production at several companies.
“Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib’s whitelist, so it most likely won’t make your codes less secure.”
Happy New Year
It’s been great building the National Lab Day website, and it’s also wonderful to have the site recognized on whitehouse.gov. This makes two sites we’ve worked on that have gotten attention in the Innovations Gallery, since Peer to Patent was similarly recognized.
The video from whitehouse.gov (below) does a better job explaining the project than I can:
And yes, the voice on the video clip is our own Mike Grafton.
pre|central.net has posted their picks for Best Apps of 2009, and they’ve picked both of the apps we developed internally as must-have apps in their categories, with Tweed at the top of the list in the Social Networking category, and Scoop being edged out by The New York Times in the News category. (We will concede that they have a little more experience in the News world than we do. ;-) The AP Mobile app also gets a shout out in the News Category, which some of you know is another app we developed, in this case on behalf of a client.
Thanks to the pre|central folks for picking our apps, and to all our users for installing those apps, and for all your feedback.