Lets say, you have a feature in your application such that you have a text-area (Integrated with text-editor plugin) in your form and use can write markups. These markups are supposed to be rendered in the view as HTML Tags (Just like they appeared in TextEditor like CKEditor). Suppose you write Continue reading
Do you know what XSS is?
One if the most widespread, an devastating security vulnerabilities in web applications is XSS. This malicious attack injects client-side executable code into HTML document via the data-stored via HTML forms. Rails provides helper methods to fend these attacks off.
<script> tag in the user-input data may lead to cookie-theft. So use the following configuration to avoid such vulnerabilities.
class Application < Rails::Application config.action_view.sanitized_allowed_tags = %w(del dd h3 address big sub tt a ul h4 cite dfn h5 small kbd code b ins img h6 sup pre strong blockquote acronym dt br p samp li ol var em div h1 i abbr h2 span hr) config.action_view.sanitized_allowed_attributes = %w(name href style cite class title src xml:lang height datetime alt abbr width) end
How to use?
= sanitize comment.message.gsub("\n", '<br>').html_safe