Rails : XSS (Cross Site Scripting) : Sanitize your data from harmful HTML tags : , , etc

Do you know what XSS is?

One if the most widespread, an devastating security vulnerabilities in web applications is XSS. This malicious attack injects client-side executable code into HTML document via the data-stored via HTML forms. Rails provides helper methods to fend these attacks off.

Any <script> tag in the user-input data may lead to cookie-theft. So use the following configuration to avoid such vulnerabilities.

class Application < Rails::Application
  config.action_view.sanitized_allowed_tags = %w(del dd h3 address big sub tt a ul h4 cite dfn h5 small kbd code b ins img h6 sup pre strong blockquote acronym dt br p samp li ol var em div h1 i abbr h2 span hr)
  config.action_view.sanitized_allowed_attributes = %w(name href style cite class title src xml:lang height datetime alt abbr width)

How to use?

= sanitize comment.message.gsub("\n", '<br>').html_safe

Ruby on Rails : Where not to use find_each

If you have arranged rows of data then you dont use find_each in views

@alerts = @user.alerts.order(updated_at: :desc)

# In views

<% @alerts.find_each do |alert| %
# This will pick data as in default order
# This may throw some Warning like
# Scoped order and limit are ignored, it's forced to be batch order and batch size

so, this should be like this

@alerts = @user.alerts.order(updated_at: :desc)

# In views

<% @alerts.each do |alert| %>
  <h2> Alert </h2>

<% end %>