aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRobin Dupret <robin.dupret@gmail.com>2015-08-17 23:12:07 +0200
committerRobin Dupret <robin.dupret@gmail.com>2015-08-17 23:12:07 +0200
commitb79ab88245587515a842c498dd7d0fe3cd8cef57 (patch)
treead6a909a14b306a7001a83a6b1a8d70caafd9ea6
parentd12ff4fa50719e5282cb2a357968b9532ddce683 (diff)
parent76c2f01fcb348cb92d0099389db1b4bae8d6d0c0 (diff)
downloadrails-b79ab88245587515a842c498dd7d0fe3cd8cef57.tar.gz
rails-b79ab88245587515a842c498dd7d0fe3cd8cef57.tar.bz2
rails-b79ab88245587515a842c498dd7d0fe3cd8cef57.zip
Merge pull request #21273 from piton4eg/patch-6
Small fixes [ci skip]
-rw-r--r--guides/source/security.md11
1 files changed, 5 insertions, 6 deletions
diff --git a/guides/source/security.md b/guides/source/security.md
index c701027479..21cf48c2cf 100644
--- a/guides/source/security.md
+++ b/guides/source/security.md
@@ -198,11 +198,10 @@ This attack method works by including malicious code or a link in a page that ac
In the [session chapter](#sessions) you have learned that most Rails applications use cookie-based sessions. Either they store the session id in the cookie and have a server-side session hash, or the entire session hash is on the client-side. In either case the browser will automatically send along the cookie on every request to a domain, if it can find a cookie for that domain. The controversial point is, that it will also send the cookie, if the request comes from a site of a different domain. Let's start with an example:
-* Bob browses a message board and views a post from a hacker where there is a crafted HTML image element. The element references a command in Bob's project management application, rather than an image file.
-* `<img src="http://www.webapp.com/project/1/destroy">`
-* Bob's session at www.webapp.com is still alive, because he didn't log out a few minutes ago.
-* By viewing the post, the browser finds an image tag. It tries to load the suspected image from www.webapp.com. As explained before, it will also send along the cookie with the valid session id.
-* The web application at www.webapp.com verifies the user information in the corresponding session hash and destroys the project with the ID 1. It then returns a result page which is an unexpected result for the browser, so it will not display the image.
+* Bob browses a message board and views a post from a hacker where there is a crafted HTML image element. The element references a command in Bob's project management application, rather than an image file: `<img src="http://www.webapp.com/project/1/destroy">`
+* Bob's session at `www.webapp.com` is still alive, because he didn't log out a few minutes ago.
+* By viewing the post, the browser finds an image tag. It tries to load the suspected image from `www.webapp.com`. As explained before, it will also send along the cookie with the valid session id.
+* The web application at `www.webapp.com` verifies the user information in the corresponding session hash and destroys the project with the ID 1. It then returns a result page which is an unexpected result for the browser, so it will not display the image.
* Bob doesn't notice the attack - but a few days later he finds out that project number one is gone.
It is important to notice that the actual crafted image or link doesn't necessarily have to be situated in the web application's domain, it can be anywhere - in a forum, blog post or email.
@@ -227,7 +226,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
If your web application is RESTful, you might be used to additional HTTP verbs, such as PATCH, PUT or DELETE. Most of today's web browsers, however do not support them - only GET and POST. Rails uses a hidden `_method` field to handle this barrier.
-_POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
+_POST requests can be sent automatically, too_. Here is an example for a link which displays `www.harmless.com` as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
```html
<a href="http://www.harmless.com/" onclick="