Talks
Speakers
Events
Topics
Sign in
Home
Talks
Speakers
Events
Topics
Leaderboard
Use
Analytics
Sign in
Suggest modification to this talk
Title
Description
Rails 7.1 improved Rails’s security posture and made Rails more friendly with modern browsers by shipping HTML5-compliant sanitizers by default. Great! But the journey there was no a straight road… @shopify Director of Engineering Mike Dalessio shares the story of planning and executing a complex migration task on a major open-source project, a multi-year journey that started in 2015 with a security vulnerability and ended after coordinating major changes upstream to Action View, Rails::HTML::Sanitizer, Loofah, and Nokogiri, and taking over maintenance of libgumbo. Slides are online at http://mike.daless.io/prez/2023/10/06/rails-world-rails-html5/ Links: https://rubyonrails.org/ https://github.com/rails/rails-html-sanitizer https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html #RailsWorld #RubyonRails #rails #Rails7 #opensource #security #HTML5 #nokogiri #libgumbo #actionview
Date
Summarized using AI?
If this talk's summary was generated by AI, please check this box. A "Summarized using AI" badge will be displayed in the summary tab to indicate that the summary was generated using AI.
Show "Summarized using AI" badge on summary page
Summary
Markdown supported
In the presentation titled "Rails::HTML5: the strange and remarkable three-year journey," Mike Dalessio, Director of Engineering at Shopify, describes the extensive journey of enhancing Rails to support HTML5 sanitization. The talk outlines the crucial evolution of Rails' security measures, moving from an HTML4 sanitizer to one that accommodates the modern demands of HTML5. Key points discussed include: - **Security Overview**: The presentation begins with a hypothetical scenario posed as a security puzzle, highlighting the vulnerabilities of running an HTML4 sanitizer against modern HTML5-compliant browsers. - **Understanding Sanitizers**: Dalessio explains the function of sanitizers, using examples of how they parse and sanitize input, ensuring that only safe tags are processed. - **The Shift from HTML4 to HTML5**: An essential part of the discussion contrasts HTML4 and HTML5 specifications, emphasizing the flaws and inconsistencies of HTML4 due to the lack of error correction guidance versus the robustness of HTML5 which promotes consistent and predictable behavior. - **Identifying Vulnerabilities**: The presentation draws attention to known vulnerabilities that emerged due to discrepancies between how HTML4 and HTML5 handle document trees, particularly concerning elements like `<select>` that could create security risks when mismanaged. - **Implementation Journey**: Dalessio reveals the extensive collaborative efforts needed to migrate the sanitizer stack over several years, culminating in the release of Rails 7.1’s support for HTML5 sanitization. - **Collaborative Efforts and Solutions**: The discussion covers the integration of previous libraries and the difficulties faced in ensuring backward compatibility while adopting HTML5 standards. - **Future Prospects**: The talk concludes with optimism about standardizing sanitizer APIs that will simplify parsing and enhance security measures, encouraging continued innovation in protecting user data. In conclusion, Dalessio encourages developers to review the new documentation on Rails 7.1 HTML5 support, underscoring the complexity and necessity of keeping web applications secure and compliant with modern standards. The presentation reflects not only on technical improvements in Rails but also on the collaborative spirit needed to tackle such significant challenges in the open-source community.
Suggest modifications
Cancel
