Reputation: 2329
How to sanitize an attribute value in rails
What is the best way to sanitize an attribute value in rails? The code looks something like this:
<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />
I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.
- Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
- JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
Is html_escape method enough for the purpose? For some reason I cant use the tag method provided by TagHelper here. Using Rails 2.3.5 version.
Upvotes: 2
Views: 4824
Answers (1)
Reputation: 5001
Yes, it's good enough. (with another " though but I guess it's a typo :)
<img alt="<%=h untrusted %>" src="img.png" />
h will prevent untrusted to contain " and replace it by " so that the attacker will be unable to go out of the alt attribute. Moreover, she will also be unable to exploit something by the alt attribute as no parsing is done in it.
For example, it would be different if it was in a a's href attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);)
Upvotes: 3
Related Questions
- Sanitize output in Rails
- Rails form text_field escaping html
- Is there any way to define a model's attribute as always html_safe?
- Escaping text so it would remain readable
- Escaping HTML in Rails
- Sanitize input XSS and HTML input in rails
- Get Rails 3 to sanitize output by default instead of escaping it
- Safely display html encoded values in Rails
- Ruby on Rails: How best to escape a string in a model?
- Sanitize Markdown in Rails?