Secuiyrt issue in App

Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks,
Tushar

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

ushar Gandhi wrote:

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

_Any_ user entered data that you display should be escaped in this
way. You are lucky that no-one with more malicious intentions has
found the hole in your system.

I strongly suggest that you study the guide on securing rails
applications at http://guides.rubyonrails.org/. There may be other
more serious holes in your app.

Colin

Charanya Nagarajan wrote:

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

ushar Gandhi wrote:

Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks,
Tushar

Thanks a lot.
It is working fine.

Yes, you can escape user data. But you also should not allow the original request (with the “Hack”) to complete. Try to use mod_security in your apache installation!

Is there a non-Apache-httpd equivalent?