This gem provides a module called
SanitizeUrl, which you can mix-in anywhere you like. It provides a single method:
http:// scheme if no valid scheme is found.
Rails mitigates some of the danger by automatically URL-encoding in the
link_to helper, but this does not solve every problem. For example, it doesn't remove plain old
require 'rubygems' require 'sanitize-url' include sanitize_url('www.example.com')
This gem uses a whitelist approach, killing any schemes that aren't in the list. This should block
data: URLs, both of which can be used for XSS. The default list of allowed schemes is:
http:// https:// ftp:// ftps:// svn:// svn+ssh:// git:// mailto:
You can pass in your own whitelist like this:
sanitize_url('http://example.com', :schemes => ['http', 'https'])
sanitize_url receives a URL with a forbidden scheme, it wipes out the entire URL and returns a blank string. You can override this behavior and have it return a string of your choosing like this:
See the spec/sanitize_url_spec.rb for some examples of the how this gem transforms URLs.
gem install sanitize-url
If that doesn't work, it's probably because the gem is hosted on Gemcutter, and your computer doesn't know about Gemcutter yet. To fix that:
gem install gemcutter gem tumble
For most projects, I prefer that people use GitHub's issue tracker. But given the sensitive nature of security vulnerabilities, I prefer private messages for this one.
Copyright (c) 2010 Jarrett Colby. See LICENSE for details.