Jai Pandya
Jai Pandya

Reputation: 2329

How to sanitize an attribute value in rails

What is the best way to sanitize an attribute value in rails? The code looks something like this:

<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />

I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.

  1. Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  2. JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

Is html_escape method enough for the purpose? For some reason I cant use the tag method provided by TagHelper here. Using Rails 2.3.5 version.

Upvotes: 2

Views: 4824

Answers (1)

tomferon
tomferon

Reputation: 5001

Yes, it's good enough. (with another " though but I guess it's a typo :)

<img alt="<%=h untrusted %>" src="img.png" />

h will prevent untrusted to contain " and replace it by &quot; so that the attacker will be unable to go out of the alt attribute. Moreover, she will also be unable to exploit something by the alt attribute as no parsing is done in it.

For example, it would be different if it was in a a's href attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);)

Upvotes: 3

Related Questions