Arun Mathew Kurian
Reputation: 536
Unsafe parameter value in link_to href
I have added the following line to a template file
link_to("CSV", params.merge(:action => "list", :format => :csv, :filename => filename)
A security assessment tool showed the warning that there is a cross scripting vulnerability asscociated with this.I need to know
1)Why such a vulnerability occur? 2)What is the solution to this problem?
Upvotes: 3
Views: 562
Answers (1)
Karan Purohit
Reputation: 2659
I dont think there's a need to merge :format and :filename into params.
This will lead two major complications.
- Someone can modify the querystring, leaving doors to security vulnarability.
- Having userdefined symbols at runtime and merging them with params, also leaves a door for DoS(Denial of Service) attack.
(you may google about these issues for detailed explanation)
Focusing on what you can do to solve this issue is
link_to("CSV", :action => "list", :format => :csv, :filename => filename)
or if it is in other controller
link_to("CSV", :controller => "controller_name", :action => "list", :format => :csv, :filename => filename)
This might help you resolve the issue.
Good luck.
Upvotes: 2
Related Questions
- Rails: Open link in new tab (with 'link_to')
- How to check if a value exists in an array in Ruby
- Why this file read got flagged as Cross Site Scripting?
- What is the general concept behind XSS?
- XSS Cross Site Scripting Reflected in JavaScript file
- Unsafe parameter value in link_to href Rails 4.2
- XSS Unsafe parameter value in link_to
- Cross Site Scripting with Hidden Inputs