Digvijay
Reputation: 8967
resolve XSS issue on ruby on rails
Example: If we store <script>alert(299792458)</script> as a first name input, the value is getting accepted and stored.
When we display the data, an alert pops up. I understand that it's a Cross-Site Scripting (XSS). I have gone through http://guides.rubyonrails.org/security.html#cross-site-scripting-xss but I wan't able to understand.
All I need to do is make sure that alert doesn't happen. So, what's a best option. Sanitize first name while saving it (or) use html_safe when displaying it.
Upvotes: 1
Views: 606
Answers (1)
Digvijay
Reputation: 8967
I used this function and it worked as expected.
CGI::escapeHTML(user.firstname)
On display page, it showed <script>alert("123");</script> but the script didn't run because it escaped the tags.
Upvotes: 1
Related Questions
- Sanitize output in Rails
- Sanitizing URL to prevent XSS in Rails
- Escaping HTML in Rails
- How to fix this XSS in Rails
- How to sanitize "inline javascript" in ruby on rails?
- Sanitize input XSS and HTML input in rails
- How can I make rails rails_xss stop escaping my in template Javascript?
- Protecting from XSS in escape_javascript() output in Rails
- How to escape javascript-generated html in Rails?
- Ruby on Rails and XSS prevention