Reputation: 6215
Storing generated HTML and preventing XSS attacks in Rails 3
I am writing an app where a lot of heavy duty calculations are performed in the browser to generate and format some content. The resulting content is HTML that I would like to save on the server (structure, links, results of calculations, etc). It does not have any javascript or CSS (in style tags).
Is there a Rails method or plugin I can use in a model's before_save or after_initialize method to strip javascript/css from the content and safely send it back to the browser (via JSON, FYI) while preventing XSS attacks, given the simple structure of the content?
Upvotes: 1
Views: 374
Answers (1)
Reputation: 3820
I personally use the Sanitize gem. Using this gem you can configure what HTML elements and attributes you want to allow and the gem will strip anything else.
I'd say this is a good choice for your app because since you want to allow some HTML but disallow Javascript/CSS then a sanitizer based on a full blown HTML parser is most likely the best choice considering there are numerous ways of being crafty and injecting Javascript/CSS into HTML.
Upvotes: 2
Related Questions
- resolve XSS issue on ruby on rails
- How to safely save/retrieve HTML tags to database in rails?
- Sanitize output in Rails
- Rendering safe html in Rails 3
- Safely storing html rails
- Escaping HTML in Rails
- Rails 3: Permitting Users to Use Basic HTML Tags
- Safely display html encoded values in Rails
- Security in a Rails app - User submitted data
- Ruby on Rails and XSS prevention