Reputation: 369
How to prevent XSS attacks in api mode of Rails?
I've read an article about preventing XSS attacks. it explained, Rails itself prevents some attacks. actually Rails uses ERB::Util#html_escape function to escape HTML entities.
<b>Hello <%= params[:name] %></b>
If the above is attacked with ?name=<script>alert(1)</script>, the output will be as follows:
<b> Hello <script>alert(1)</script>gt; </b>
But, when I pass this name in API mode, it doesn't work.
POSTMAN
url?name=<script>alert(1)</script>
Rails App
params[:name]
the output will be "<script>alert(1)</script>".
Does it have any config for working correctly in API mode?
Upvotes: 3
Views: 851
Answers (1)
Reputation: 211590
It's not an attack to receive data like that. It's an attack to display it.
By default Rails escapes within the HTML context, and only within the HTML context, so when you do:
<p><%= params[:name] %></p>
You'll see the escaped version that's rendered harmless. The only way around this is if you go out of your way to declare it safe with html_safe, which you wouldn't do unless you're sure it is safe.
If you have an API-style app with no front-end at all, congratulations, you're immune to XSS attacks. Your clients, however, will need to take precautions to ensure they properly escape any content for the appropriate context in which it's presented.
In other words, Rails won't and shouldn't care unless HTML is being displayed.
Remember, the parameter itself is never altered, it's just escaped before being displayed.
Upvotes: 4
Related Questions
- Rails: How to implement protect_from_forgery in Rails API mode
- How to secure Rails API requests?
- resolve XSS issue on ruby on rails
- How to properly protect SQL injection in rails controller
- Sanitize output in Rails
- Sanitizing URL to prevent XSS in Rails
- How to fix this XSS in Rails
- Security in a Rails app - User submitted data
- Ruby on Rails and XSS prevention
- Sanitize Markdown in Rails?