How to fix XSS in rails

Question

I am able to inject javascript:alert `1` or javascript:alert(1) into the href field of the rails app and it is getting executed as JavaScript. Html encoding is already implemented but it doesnt encode brackets and back quotes.

How to solve this? What is the best method to prevent XSS in rails?

Benoit Esnard · Accepted Answer · 2019-07-31T10:08:59.573

2

You should always validate user input.

For example, since you're expecting an URL, you could check that the submitted string starts with http:// or https://.

submitted_url.start_with?('http://', 'https://')

edited Jul 31 '19 at 10:08

answered Jul 30 '19 at 14:56

Benoit Esnard

13,942
7
65
65

That sounds like a hack right? Is there a module in Rails to output encode these kind of strings? – Anonymous Platypus Jul 31 '19 at 09:28
1

@AnonymousPlatypus: I'm not a Ruby developer so I'm not sure if there's a better way to do this in Ruby / Rails, but the main idea still stands: you need to validate that the submitted URL is a valid URL! Encoding the output isn't enough. – Benoit Esnard Jul 31 '19 at 10:10
The fix is deployed as you have mentioned. Thanks :) – Anonymous Platypus Jul 31 '19 at 10:47

How to fix XSS in rails

1 Answers1