Menu
In an rails application, users can create events and post an url to link to the external event site.
How do I sanitize the urls to prevent XSS links?
Thanks in advance,
example of XSS, which is not preventable by rails' sanitize method
@url = "javascript:alert('XSS')"
<a href="<%=sanitize @url%>">test link</a>
525
Try sanitizing once the href is already in a tag like:
url = "javascript:alert('XSS')"
sanitize link_to('xss link', url)
This gives me:
<a>xss link</a>
You can use Rails' sanitize method for some basic restriction.
Or you can use rgrove's sanitize gem for more options.
Hope this helps.
43
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
