rawfish.dev
Reputation: 329
rails javascript in text_field_tag
I'm kind of new to javascript/jQuery and rails at the moment and was using a text_field_tag with select2-rails in order to create a tagging with autocomplete etc.
It's working pretty great now but just out of curiosity I placed
< script >alert("hello");< /script >
(without the spaces) in the textbox and the alert popped up. Isn't that pretty unsafe? Is there anything that I should be adding to stop the javascript from being executed in that text_field?
Edit:: This is my javascript on that page to apply to my text_field_tag:
$(document).ready(function() {
$("#filter-in-postkey-select2").select2( {
width : "450px",
placeholder : "No postkeys. Add some here now!",
minimumInputLength : 1,
maximumSelectionSize : 5,
tags : ["red", "brown", "green"],
tokenSeparators : [",", " "]
});
});
and my text field is simply:
<%= text_field_tag "filter-in-postkey-select2" %>
Upvotes: 1
Views: 778
Answers (1)
The Pied Pipes
Reputation: 1435
you can escape the user's input with a plugin such as XSS_terminate
then it's as simple as doing this in your model:
class YourModel < ActiveRecord::Base
xss_terminate :except => [ :your_input_field_to_be_exempt ]
end
Upvotes: 1
Related Questions
- Rails5 : Select2 Gem not working
- Rails - Disable select_tag with javascript
- How to deal with <%= text_field %> in ruby on rails when javascript is used
- Rails - text_field_tag not showing up with Javascript
- using select2 gem with acts_as_taggable gem on rails
- Rails Simple_form and Select2 with tags
- Rails select2 ajax tags
- select_tag and javascript in rails issue
- Using select2 gem in Rails
- select_tag Ajax Updation with Rails3 + Jquery