TechQA.

Injecting JavaScript into HTML while bypassing Rails Sanitize

631 views Asked by At

I am using the following sanitization with ruby on rails for user input...

sanitize(input, tags: %w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span), attributes: %w(id class href colspan rowspan src align valign))

Is there a way that someone could inject javascript and bypass this particular sanitization? Any advice would be helpful.

javascript ruby-on-rails xss sanitize
Original Q&A
1

There are 1 answers

0
Josh On

Allowing user input to be displayed is always risky. Using the Rails sanitize method is a good start, but there have been security issues in the past and it's likely people will figure out a way past the current implementation in the future.

Security is always an arms race. From the sanitize docs:

It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters

That said, comparing your settings w/ the defaults:

%w(a br b h1 h2 h3 h4 i img li ol p strong table tr td th u ul em span) - ActionView::Base.sanitized_allowed_tags.to_a
=> ["table", "tr", "td", "th", "u"]

%w(id class href colspan rowspan src align valign) - ActionView::Base.sanitized_allowed_attributes.to_a
=> ["id", "colspan", "rowspan", "align", "valign"]

looks innocuous to me.

Related Questions in JAVASCRIPT

Related Questions in RUBY-ON-RAILS

Related Questions in XSS

Related Questions in SANITIZE

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions