开发者

Escape URL in rails

问答 作者:

I have a commenting system where people can leave a comment together with their website. Since rails now escapes everything by default I don't really do anything to avoid XSS and it works find - almost. For some reason the URL isn't escaped.

In order to display the username I have a simple helper:

def display_name(name, site)
  if !site.blank?
    return link_to(name, site)
  else
    return name
  end
end

But if you put something like javascript:alert(1) into the website field it get injecte开发者_C百科d directly into the page - any idea how to escape this?

Even if you escape javascript, malicous users could still create URLs which point to, say, delete urls that could potentially affect a user's data. Why not verify the URL as such when you collect it?

validates :attribute, :url => true

I'd recommend using Thong Kuah's UrlValidator.

继续阅读:escapingruby-on-railssecurityxss

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9