Reputation: 982
Rails - javascript injections
I'm using Rails 3 and Ruby 1.9.2. I'm doing anything special when I'm displaying the content of my post, I'm just doing
<%[email protected]%>
When I add
"<script language='javascript'>alert('test');</script>"
to my post form of course it executes the javascript alert !
I tried adding the html_safe both before saving and before displaying but it didn't fix anything.
If I have to add any security code, will I have to add it before saving the post or before displaying it ? I heard that rails 3 was doing it itself so I didn't bother too much about security but I guess still there are some main things to be careful with.
Upvotes: 0
Views: 1572
Answers (2)
Reputation: 211610
Rails 3 is quite strict about escaping anything you put into your view, but in Rails 2 and earlier it was your responsibility to do this. You have to escape everything using the h helper method:
<%= h(value) %>
When building an application that accepts arbitrary user input you must be certain you are escaping anything and everything that shows up in the view.
Upvotes: 2
Reputation: 14740
Are you using Rails 3? The javascript stuff should automatically be escaped.
But for more info on preventing XSS, I'd just look at Ryan Bates' RailsCasts.
Upvotes: 1
Related Questions
- Javascript issues with Rails (caused by preload?)
- resolve XSS issue on ruby on rails
- javascript being sent everytime ajax requests rails app
- JavaScript is secretly running on my Rails application
- Ruby on Rails, javascripts conflicts
- How to sanitize "inline javascript" in ruby on rails?
- Injecting arbitrary Javascript on all my Rails view
- Ruby on Rails, Javascript detection
- javascript security rails
- Rails 3 HTML Injection