search

OWASP / railsgoat

A vulnerable version of Rails that follows the OWASP Top 10
railsgoat.cktricky.com
MIT License
864 stars 668 forks source link

Explicit References to online code #121

Closed raesene closed 10 years ago

raesene commented 10 years ago

Hi,

So I was using railsgoat for a workshop recently and one thing I noticed is that there's a couple of places where the app. makes reference to online JS files specifically

jsapi - https://github.com/OWASP/railsgoat/blob/14c1fb367d83f7b59e1a96c74521d4f528f6dd53/app/views/layouts/tutorials.html.erb#L16

and

htm5shiv - https://github.com/OWASP/railsgoat/blob/14c1fb367d83f7b59e1a96c74521d4f528f6dd53/app/views/layouts/tutorials.html.erb#L9

with those references if you run the app on a machine which doesn't have Internet access I was seeing some slow loading on pages that make those references. In my case I didn't want to rely on the conference wi-fi when 40 people hit one AP at once so I just added jsapi and html5.js to the public/javascript dir and changed the references to point to those local files.

It doesn't 100% remove the problem as apparently the Google Charts API can't be used 100% offline and still have it comply with Google's TOS, but it did solve the slow loading problems.

cktricky commented 10 years ago

Rory, we'd had this issue before as well in a mirror situation. We'd created a branch on another fork as a work around but I think we need to fix this for the entire project. Sometimes it just means somebody else has to say something so thanks for giving us the push.

Still owe you the DOM XSS found in Code Snippet.

Cheers

On Sun, May 18, 2014 at 3:26 PM, Rory McCune notifications@github.comwrote:

Hi,

So I was using railsgoat for a workshop recently and one thing I noticed is that there's a couple of places where the app. makes reference to online JS files specifically

jsapi - https://github.com/OWASP/railsgoat/blob/14c1fb367d83f7b59e1a96c74521d4f528f6dd53/app/views/layouts/tutorials.html.erb#L16

and

htm5shiv - https://github.com/OWASP/railsgoat/blob/14c1fb367d83f7b59e1a96c74521d4f528f6dd53/app/views/layouts/tutorials.html.erb#L9

with those references if you run the app on a machine which doesn't have Internet access I was seeing some slow loading on pages that make those references. In my case I didn't want to rely on the conference wi-fi when 40 people hit one AP at once so I just added jsapi and html5.js to the public/javascript dir and changed the references to point to those local files.

It doesn't 100% remove the problem as apparently the Google Charts API can't be used 100% offline and still have it comply with Google's TOS, but it did solve the slow loading problems.

— Reply to this email directly or view it on GitHubhttps://github.com/OWASP/railsgoat/issues/121 .

cktricky commented 10 years ago

Fixed! (I think)