Rails : XSS (Cross Site Scripting) : Sanitize your data from harmful HTML tags : , , etc

Do you know what XSS is?

One if the most widespread, an devastating security vulnerabilities in web applications is XSS. This malicious attack injects client-side executable code into HTML document via the data-stored via HTML forms. Rails provides helper methods to fend these attacks off.

Any <script> tag in the user-input data may lead to cookie-theft. So use the following configuration to avoid such vulnerabilities.

class Application < Rails::Application
  config.action_view.sanitized_allowed_tags = %w(del dd h3 address big sub tt a ul h4 cite dfn h5 small kbd code b ins img h6 sup pre strong blockquote acronym dt br p samp li ol var em div h1 i abbr h2 span hr)
  config.action_view.sanitized_allowed_attributes = %w(name href style cite class title src xml:lang height datetime alt abbr width)
end

How to use?

= sanitize comment.message.gsub("\n", '<br>').html_safe

One thought on “Rails : XSS (Cross Site Scripting) : Sanitize your data from harmful HTML tags : , , etc

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s