How Do I Prevent a XSS Cross-Site Scripting Attack When Using jQueryUI Autocomplete

I am checking for XSS vulnerabilities in a web application I am developing. This Rails app 开发者_JAVA百科uses the h method to sanitize HTML it generates.

It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I

Possibilities:

1) Autocomplete has an option to sanitize I don't know about

2) There is an easy way to do this in jQuery I don't know about

3) There is an easy way to do this in a Rails controller I don't know about (where I can't use the h method)

4) Disallow < symbol in the model

Sugestions?

Do you control the JSON being fed to the plugin? If so, your best bet would be to properly escape the data prior its encoding into JSON by using CGI::escapeHTML.

This way, your data will be sanitized and you won't have to worry about XSS.