Reputation: 2329
What is the best way to sanitize an attribute value in rails? The code looks something like this:
<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />
I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.
- Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
- JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
Is html_escape method enough for the purpose? For some reason I cant use the tag
method provided by TagHelper
here. Using Rails 2.3.5 version.
Upvotes: 2
Views: 4824
Reputation: 5001
Yes, it's good enough. (with another " though but I guess it's a typo :)
<img alt="<%=h untrusted %>" src="img.png" />
h
will prevent untrusted
to contain "
and replace it by "
so that the attacker will be unable to go out of the alt
attribute. Moreover, she will also be unable to exploit something by the alt
attribute as no parsing is done in it.
For example, it would be different if it was in a a
's href
attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);
)
Upvotes: 3