CODEWITHSUNDEEP
ruby-on-rails-3securityescapingxss
Nick Ginanto
Nick Ginanto

Reputation: 32120

How to fix this XSS in Rails

I don't know if it counts as a XSS, but it is causing errors

I have an image_tag and the :alt tag is generated by the user

however, using sanitize/h/html_escape doesn't help with this (from OWASP- here)

';alert(String.fromCharCode(88,83,83))//';alert(String.fromCharCode(88,83,83))//";
alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--
></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

when doing

:alt => (the string above)

the output of the image is messed up

Is there a way to fix this XSS?

I'm using latest rails,ruby

Upvotes: 1

Views: 425

Answers (2)

Rhea
Rhea

Reputation: 11

u can fix it by filter " ' and > just this three characters is ennough

Upvotes: 0

Holger Just
Holger Just

Reputation: 55718

Since Rails 3.2.8 and thus the fix of CVE-2012-3464, the Rails escape helpers escape both double quotes and single quotes.

If you are actually using the correct version, you should be just fine.

>> ERB::Util.h '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'
=> "&#39;;alert(String.fromCharCode(88,83,83))//&#39;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//&quot;;alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;&quot;&gt;&#39;&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;"

(Note: the backslashes in the above raw string need to be there for Ruby to properly parse the string which then contains the single quotes verbatim.)

Upvotes: 1

Related Questions