Rails : XSS (Cross Site Scripting) : Sanitize your data from harmful HTML tags : , , etc

Do you know what XSS is?

One if the most widespread, an devastating security vulnerabilities in web applications is XSS. This malicious attack injects client-side executable code into HTML document via the data-stored via HTML forms. Rails provides helper methods to fend these attacks off.

Any <script> tag in the user-input data may lead to cookie-theft. So use the following configuration to avoid such vulnerabilities.

class Application < Rails::Application
  config.action_view.sanitized_allowed_tags = %w(del dd h3 address big sub tt a ul h4 cite dfn h5 small kbd code b ins img h6 sup pre strong blockquote acronym dt br p samp li ol var em div h1 i abbr h2 span hr)
  config.action_view.sanitized_allowed_attributes = %w(name href style cite class title src xml:lang height datetime alt abbr width)

How to use?

= sanitize comment.message.gsub("\n", '<br>').html_safe