Injecting JavaScript into HTML while bypassing Rails Sanitize

611 views Asked by At

I am using the following sanitization with ruby on rails for user input...

sanitize(input, tags: %w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span), attributes: %w(id class href colspan rowspan src align valign))

Is there a way that someone could inject javascript and bypass this particular sanitization? Any advice would be helpful.

1

There are 1 answers

0
Josh On

Allowing user input to be displayed is always risky. Using the Rails sanitize method is a good start, but there have been security issues in the past and it's likely people will figure out a way past the current implementation in the future.

Security is always an arms race. From the sanitize docs:

It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters

That said, comparing your settings w/ the defaults:

%w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span) - ActionView::Base.sanitized_allowed_tags.to_a
=> ["table", "tr", "td", "th", "u"]

%w(id class href colspan rowspan src align valign) - ActionView::Base.sanitized_allowed_attributes.to_a
=> ["id", "colspan", "rowspan", "align", "valign"]

looks innocuous to me.