Reputation: 1495
XSS Unsafe parameter value in link_to
Code Climate is giving me a "Cross Site Scripting" error on this line of code in one of the html.haml:
= link_to 'Next', @redirect_uri, data: { no_turbolink: true }, class: 'btn btn-primary'
In the controller, @redirect_uri is:
@redirect_uri = params[:redirect_uri] << "&show_more_pages=false"
params[:redirect_uri] is a very long url with the redirect uri in it.
What exactly is wrong and how can I make Code Climate happy?
Upvotes: 4
Views: 1266
Answers (1)
Reputation: 18833
Code Climate is complaining because you're embedding the potentially user-provided redirect_uri in your page. That URI might be JavaScript, which would execute when a user clicks the link. Because the user's clicking a link rendered by your page, the JS has access to the page as if you'd written the code yourself, so someone devious can exfiltrate all sorts of information you intended only the user and your server to have access to.
Try it out with a link like this:
http://your.web.site/?redirect_uri=alert('Boom');
Since you're in Rails, you have access to sanitize, which cleans out evil parts of the URL for you and I expect will quiet Code Climate. There are also a few SO questions around that might help:
- Sanitizing URL to prevent XSS in Rails
- Best way to handle security and avoid XSS with user entered URLs
Upvotes: 5
Related Questions
- WARNING: sanitizing unsafe style value url
- How can I prevent XSS with HTML/PHP?
- How can I delete one element from an array by value
- How to check if a value exists in an array in Ruby
- What is the http-header "X-XSS-Protection"?
- What does it mean when they say React is XSS protected?
- CakePHP 2.X Path Based XSS issue
- Is this vulnerable to XSS?
- Unsafe parameter value in link_to href