Digvijay
Digvijay

Reputation: 8967

resolve XSS issue on ruby on rails

Example: If we store <script>alert(299792458)</script> as a first name input, the value is getting accepted and stored.

When we display the data, an alert pops up. I understand that it's a Cross-Site Scripting (XSS). I have gone through http://guides.rubyonrails.org/security.html#cross-site-scripting-xss but I wan't able to understand.

All I need to do is make sure that alert doesn't happen. So, what's a best option. Sanitize first name while saving it (or) use html_safe when displaying it.

Upvotes: 1

Views: 606

Answers (1)

Digvijay
Digvijay

Reputation: 8967

I used this function and it worked as expected.

CGI::escapeHTML(user.firstname)

On display page, it showed <script>alert("123");</script> but the script didn't run because it escaped the tags.

Upvotes: 1

Related Questions