TechQA.

Prevent injection attack form Redcarpet gem in rails

107 views Asked by At

I have a text area that allows user to type in description of their cars.

It is saved as :text and when called, I will render via the ApplicationHelper as below: 

module ApplicationHelper
    def markdown(text)
        renderer = Redcarpet::Render::HTML
        @engine = Redcarpet::Markdown.new(renderer, 
            hard_wrap: true,
            filter_html: true,
            autolink: true,
            no_intra_emphasis: true
        )
        @engine.render(text)
    end
end

Being paranoia, I tried typing in something like this in my textarea. 

Markdown.

__Nice.__

<%= @car %>
<script>
  alert('damn');
</script>

While the <%= @car %> did not parse in to ruby code, but the script was indeed executed.

In my view: 

<%= markdown(@car.description).html_safe %>

I wonder if it is the right way handling with redcarpet; is this mechanism prone to any attack, and how can I prevent it?

Best

ruby-on-rails redcarpet
Original Q&A
0

There are 0 answers

Related Questions in RUBY-ON-RAILS

Related Questions in REDCARPET

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions