Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?
Thanks,
Tushar
use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript
ushar Gandhi wrote:
use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript
_Any_ user entered data that you display should be escaped in this
way. You are lucky that no-one with more malicious intentions has
found the hole in your system.
I strongly suggest that you study the guide on securing rails
applications at http://guides.rubyonrails.org/. There may be other
more serious holes in your app.
Colin
Charanya Nagarajan wrote:
use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScriptushar Gandhi wrote:
Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert('Hack');</script>" javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?Thanks,
Tushar
Thanks a lot.
It is working fine.
Yes, you can escape user data. But you also should not allow the original request (with the “Hack”) to complete. Try to use mod_security in your apache installation!
Is there a non-Apache-httpd equivalent?
Keep up to date with Rails on Twitter and This Week in Rails
Policies: Conduct, License, Maintenance, Security, Trademarks