Reputation: 8967
Example: If we store <script>alert(299792458)</script>
as a first name input, the value is getting accepted and stored.
When we display the data, an alert pops up. I understand that it's a Cross-Site Scripting (XSS). I have gone through http://guides.rubyonrails.org/security.html#cross-site-scripting-xss but I wan't able to understand.
All I need to do is make sure that alert doesn't happen. So, what's a best option. Sanitize first name while saving it (or) use html_safe when displaying it.
Upvotes: 1
Views: 606
Reputation: 8967
I used this function and it worked as expected.
CGI::escapeHTML(user.firstname)
On display page, it showed <script>alert("123");</script>
but the script didn't run because it escaped the tags.
Upvotes: 1