Reputation: 31
Rails security: allowing slash as user input
I have a Rails 3.2.21 application. One of my users has an address with a slash in it (think Main Street 321 1/2). Currently, we filter out slashes, which makes this user's address invalid in our system. How can I allow this address through without either disabling the validation for this particular address or allowing slashes globally (a huge security risk)? Is there a way I can encode the slash, put it into the database and encode it back to a slash upon retrieval?
Thank you!
Upvotes: 0
Views: 72
Answers (1)
Reputation: 536625
Just allowing slashes opens up increased possibility for XSS
Not really. Slashes are not special characters in places you are likely to accidentally inject content with XSS potential (HTML, JavaScript string literals). Input validation is in any case not the correct place to be addressing injection issues.
The class of vulnerability that slashes are likely to affect is filepath injection (typically resulting in unwanted file access through directory traversal). But still the place to worry about that is where you create filepaths.
Is there a way I can encode the slash, put it into the database and encode it back to a slash upon retrieval?
The database doesn't need to be protected from slashes. And if you did that, and there were any XSS or filepath problems in your code—problems that don't live in the databases—you would still be just vulnerable as before.
Upvotes: 1
Related Questions
- Remove slash from string in ruby on rails
- What's the best way of allowing encoded slashes in a URL segment in Rails 3?
- Prevent escaping slashes in url helpers (specifically when called using .send() to url_helpers)
- Rails escaping user input? Proper security practices?
- Prevent injection via URL input
- URL with two forward slashes
- How to make Rails do not ignore trailing slashes in the routes?
- Escape URL in rails
- Trailing Slash Behavior in Rails Application
- How can I prevent link_to from escaping slashes in URL parameters in Rails?