[eropple]

I have a much bigger problem with your post than his--and calling him out for a "terrible attitude" regarding security is a little bit funny seeing as he runs Gauntlet.io, which while not my favorite scanner out there is a legit tool that deserves more respect than you have afforded him. He has his bona fides; where are yours?

And, more concretely, I have no problem with his pointing out that some of--not all, but some--these issues are ones mitigated by decent, security-aware software development practices, like, oh, "don't spit something into a template out of your input parameters". Because tools break. Your libraries break. They will always break. Program defensively in all situations where hostile input is possible and never take for granted any attempts to defuse attacks; always favor braces-and-belt wherever possible and you'll generally do okay. It's entirely unnecessary to be a jerk towards him for saying this.

[ryanlol]

I'm not sure how who he is or what he does is at all relevant here.

Especially considering that he makes pretty obvious factual errors, e.g:

>[CVE-2015-7578/79] Possible XSS vulnerability in rails-html-sanitizer: You're safe if you use a single page application that properly encode for you. Stripping tags isn't the best way anyway to filter XSS, so if you're encoding, you're good.

If you don't want any HTML you aren't supposed to be using rails-html-sanitizer, it's specifically for scenarios where you can't do that.

[andersonmvd]

True, but there are better alternatives in some situations, e.g., bbcode or markdown processing rather than stripping tags. The point for such scenarios is that whitelist is better than blacklist.

[dsp1234]

The point for such scenarios is that whitelist is better than blacklist.

from CVE-2015-7580:

Carefully crafted strings can cause user input to bypass the sanitization in the white list sanitizer

So people are using a whitelist, and this bug is in that whitelist. In other words, people are "doing the right thing" and are still vulnerable.

[makomk]

BBcode can go pretty horrifically wrong from a security perspective because you're still generating HTML markup based on unstructured, untrusted user input. There's a long and nasty history of XSS issues in forums that use BBcode where clever use of mismatched markup has made it possible to break the HTML generator enough to inject JavaScript and other nasties.

[ryanlol]

Absolutely, bbcode and markdown processing are significantly better alternatives.

Also, I'm pretty sure you're specifically supposed to use rails-html-sanitizer with a whitelist. (See: Rails::Html::WhiteListSanitizer)

[SZJX]

Such arguments are nonsense. Sure the criticism might be a bit harsh but what on earth do one's credentials matter in such situations? Oh so if I'm not some superstar open source contributor I can't try to point out what could be better in the approaches of another guy who's famous and made huge contributions? We should only look at facts case by case and such a fame-based logic can only be detrimental.

[Someone1234]

> He has his bona fides; where are yours?

I called him out for his specific replies in this specific thread. I didn't call out his reputation or character.

Maybe you should stick to what they and I actually posted here today, and not try to draw the conversation off track into reputation wars.

> It's entirely unnecessary to be a jerk towards him for saying this.

I don't appreciate being called a "jerk."

I stand by what I said, and what I said was that I felt (and feel) that they have a bad attitude to security. They're trying to shift blame from the rails developers to every rails user, and their excuses are weak.

If you think that is "jerky," that's fine, but I feel like name calling and playing the reputation card for no reason is only going to take a conversation down a bad and unconstructive path.

[brazzledazzle]

>I called him out for his specific replies in this specific thread. I didn't call out his reputation or character.

Eh, I'm not sure about that. When I see "Wow you have a terrible attitude about security" I'm inclined to think that's exactly what you're doing. I don't have a horse in this race but you seem to be unnecessarily aggressive/antagonistic and you could have discussed the individual merits of his comment without doing that.

[enraged_camel]

>>I don't appreciate being called a "jerk

Then try not to sound like one? The OP went out of his way to compile and document the important bugs and post them here. You, on the other hand, completely ignored the value of his contribution and instead rudely called him out on a very minor (and frankly, subjective) tonal issue, and went so far as to call it "whitewashing," which implies that he has an agenda.

[ryanlol]

Did you not notice how OP had absolutely nothing to say about the more serious bugs and instead entirely focused on the less serious ones? (Except for the rails-html-sanitizer bug, which is fairly serious)

He does make multiple valid points though.

[bpchaps]

I don't understand comments like these.. He's pointing out a legitimate attitude problem which I, and many others, also agree with. There's absolutely no need for the flippant attitude.

If the users of your framework are consistently causing major security problems and the framework is built in a way that it can't be fixed without compromise.. I dunno.. document it? Maybe? Your documentation is basically the API to learning your framework, so if the API is broken to the extent of causing security problems, then it's not god damn production ready!

Remember, if every student is failing your class, the student probably isn't the one to blame.

[enraged_camel]

>>Remember, if every student is failing your class, the student probably isn't the one to blame.

Except not every student is failing the class. Only those not following best practices are.

For example, if you're using params.permit!, you're simply being lazy. This is clearly documented[1]:

"Extreme care should be taken when using permit! as it will allow all current and future model attributes to be mass-assigned."

[1]https://github.com/rails/strong_parameters#permitted-scalar-...