Martin Hansen
Reputation: 571
Escape URL in rails
I have a commenting system where people can leave a comment together with their website. Since rails now escapes everything by default I don't really do anything to avoid XSS and it works find - almost. For some reason the URL isn't escaped.
In order to display the username I have a simple helper:
def display_name(name, site)
if !site.blank?
return link_to(name, site)
else
return name
end
end
But if you put something like javascript:alert(1) into the website field it get injected directly into the page - any idea how to escape this?
Upvotes: 2
Views: 489
Answers (1)
Douglas F Shearer
Reputation: 26488
Even if you escape javascript, malicous users could still create URLs which point to, say, delete urls that could potentially affect a user's data. Why not verify the URL as such when you collect it?
validates :attribute, :url => true
I'd recommend using Thong Kuah's UrlValidator.
Upvotes: 2
Related Questions
- How do I URL-escape a string in Rails?
- url escaping in ruby
- Html escaping in a Rails 3 view
- Sanitizing URL to prevent XSS in Rails
- Escaping text so it would remain readable
- Escaping HTML in Rails
- How to fix this XSS in Rails
- Escaping just the querystring part of a url in Rails
- How can I tell Rails/HAML to not escape a URL?
- Ruby on Rails: How best to escape a string in a model?