WRITE FOR US

Ruby on Rails Cross-Site Scripting - XSS

Cross-Site Scripting - XSS

“The injection of HTML or client-side Scripts (e.g. JavaScript) by malicious users into
web pages viewed by other users.”

Cross site scripting

Learn Ruby on Rails - Ruby on Rails tutorial - Cross site scripting - Ruby on Rails examples - Ruby On Rails programs

Cases of accepted user input

No formatting allowed

search query, user name, post title, …

Formatting allowed

post body, wiki page, …

XSS - No Formatting Allowed

Use the Rails `h()` helper to HTML escape user input

Cross site scripting

Learn Ruby on Rails - Ruby on Rails tutorial - Cross site scripting - Ruby on Rails examples - Ruby On Rails programs

But using `h()` everywhere is easy to forget

Use safeERB plugin
safeERB will raise an exception whenever a tainted string is not escaped
Explicitly untaint string in order to not escape it

XSS - Formatting Allowed

Two approaches

Use custom tags that will translate to HTML (vBulletin tags, RedCloth, Textile, …)

Use HTML and remove unwanted tags and attributes

Blacklist - Rails 1.2
Whitelist - Rails 2.0

XSS - Custom Tags

Relying on the external syntax is not really secure

custom tags

Learn Ruby on Rails - Ruby on Rails tutorial - custom tags - Ruby on Rails examples - Ruby On Rails programs

Related Searches to Ruby on Rails Cross-Site Scripting - XSS

what is cross site scriptingcross site scripting tutorialdisable cross site scriptingcross site scripting meanscross site scripting in javacross site scripting in mvcenable cross site scriptingprevent cross site scriptingxss scriptruby railsrails sessionrub mail loginruby injectrails paramsxss vulnerabilityruby httpcookie secure