Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?
use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript
_Any_ user entered data that you display should be escaped in this
way. You are lucky that no-one with more malicious intentions has
found the hole in your system.
I strongly suggest that you study the guide on securing rails
applications at http://guides.rubyonrails.org/. There may be other
more serious holes in your app.
use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript
ushar Gandhi wrote:
Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?
Yes, you can escape user data. But you also should not allow the original request (with the “Hack”) to complete. Try to use mod_security in your apache installation!