Hi, I am facing a following problem:- I have app in which user can edit his/her personal information and we are showing it on browser. Some of users has added "<script>alert('Hack');</script>" javascript in name textbox. Due to this whenever I am showing name on browser it is executing the script and giving javascript alert. Can anyone tell me how to fix this? Is there any plugin avaliable?
Thanks, Tushar
use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript
ushar Gandhi wrote:
use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript
_Any_ user entered data that you display should be escaped in this way. You are lucky that no-one with more malicious intentions has found the hole in your system.
I strongly suggest that you study the guide on securing rails applications at http://guides.rubyonrails.org/. There may be other more serious holes in your app.
Colin
Charanya Nagarajan wrote:
use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript
ushar Gandhi wrote:
Hi, I am facing a following problem:- I have app in which user can edit his/her personal information and we are showing it on browser. Some of users has added "<script>alert('Hack');</script>" javascript in name textbox. Due to this whenever I am showing name on browser it is executing the script and giving javascript alert. Can anyone tell me how to fix this? Is there any plugin avaliable?
Thanks, Tushar
Thanks a lot. It is working fine.
Yes, you can escape user data. But you also should not allow the original request (with the “Hack”) to complete. Try to use mod_security in your apache installation!
Is there a non-Apache-httpd equivalent?