In an rails application, users can create events and post an url to link to the external event site. How do I sanitize the urls to prevent XSS links? Thanks in advance, example of XSS, which is not preventable by rails' sanitize method <pre class="prettyprint"><code>@url = "javascript:alert('XSS')" <a href="<%=sanitize @url%>">test link</a> </code></pre>

You can use Rails' sanitize method for some basic restriction. Or you can use rgrove's sanitize gem for more options. Hope this helps.

Sanitizing URL to prevent XSS in Rails

In an rails application, users can create events and post an url to link to the external event site.

How do I sanitize the urls to prevent XSS links?

Thanks in advance,

example of XSS, which is not preventable by rails' sanitize method

@url = "javascript:alert('XSS')"
<a href="<%=sanitize @url%>">test link</a>

525

asked Mar 09 '12 13:03

Try sanitizing once the href is already in a tag like:

url = "javascript:alert('XSS')"
sanitize link_to('xss link', url)

This gives me:

<a>xss link</a>

110

answered Oct 12 '22 01:10

You can use Rails' sanitize method for some basic restriction.

Or you can use rgrove's sanitize gem for more options.

Hope this helps.

answered Oct 12 '22 01:10

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!