Secuiyrt issue in App

Hi, I am facing a following problem:- I have app in which user can edit his/her personal information and we are showing it on browser. Some of users has added "<script>alert('Hack');</script>" javascript in name textbox. Due to this whenever I am showing name on browser it is executing the script and giving javascript alert. Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks, Tushar

use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript

ushar Gandhi wrote:

use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript

_Any_ user entered data that you display should be escaped in this way. You are lucky that no-one with more malicious intentions has found the hole in your system.

I strongly suggest that you study the guide on securing rails applications at http://guides.rubyonrails.org/. There may be other more serious holes in your app.

Colin

Charanya Nagarajan wrote:

use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript

ushar Gandhi wrote:

Hi, I am facing a following problem:- I have app in which user can edit his/her personal information and we are showing it on browser. Some of users has added "<script>alert('Hack');</script>" javascript in name textbox. Due to this whenever I am showing name on browser it is executing the script and giving javascript alert. Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks, Tushar

Thanks a lot. It is working fine.

Yes, you can escape user data. But you also should not allow the original request (with the “Hack”) to complete. Try to use mod_security in your apache installation!

Is there a non-Apache-httpd equivalent?