XSS Protection
Protection
This week a lot of famous websites like twitter, youtube and even the dead orkut received some XSS attacks.
But first, what is XSS ? Wikipedia says:
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007
How can this little thing bring the caos to your website?
Imagine you have a field, a simple text field, so the user can update his status:
<%= f.text_field :status %>
if you fill with something like that:
<script>alert("Your website sucks!")</script>
In your view you show the status like that:
<%= @user.status %>
If Theres no XSS protection, every time you hit the page, you gonna see the alert:
How XSS protection works in Rails 3?
By default all your outputs will be escaped, so in the example before you never saw the popup, just the plain text:
<script>alert("Your website sucks!")</script>
And if you want the output to not be escaped you can use:
<%= raw @user.status %>
And then the popup will raise.
This is a short and simple post, but remember to ALWAYS ESCAPE dangerous user text input, this probably will save you a lot of time in the future.
I'm a 22 years old man coding since I was 15 which means I've been coding for almost 1/3 of my life.
I'm a passionate ruby developer, wrote my first ruby block about 4 years ago and then the fun has never stopped.
Coded by me inspired on Stationery by thijsjacobs