I’m pleased to announce the release of Cross Site Sniper 0.2.
Cross Site Sniper is one more addition to the ever growing list of tools
that attempt to provide a convenient and DRY method to protect Rails
sites from Cross Site Scripting (XSS) attacks. There are many plugins
and tools out there that attempt to address this issue, but none of them
met my requirements. So, I created Cross Site Sniper, a Ruby on Rails
plugin that automatically wraps html_escape() around ActiveRecord
attribute methods associated with string and text fields in the
All ActiveRecord classes have their dynamically generated accessor
methods associated with String and Text fields automatically escaped.
So, no matter if you’re calling the method from a view, a helper, or
within a controller as part of a RJS response, you don’t need to
remember to wrap it in h(), because it’s already escaped.
Form fields on edit forms prepopulate with unescaped data Users
edit exactly what they originally submitted, without special characters
disappearing or unexpectedly morphing into strings of other characters.
Easy one-time access to unescaped data when you need it. eg:
A convenience method for class definitions is available to fine tune
which string and text fields get escaped automatically.
Original unescaped text is stored in the database and escaped on
output This allows for unescaped data to be accessed more conveniently
when necessary, and improved scrubbing techniques to be instantly
applied to legacy data simply by upgrading or swapping out the plugin
with another. ( Some xss plugins choose to escape the data on input, a
philosophy I don’t personally agree with but some people do, so I
thought it was important to explicitly mention this feature here so
people could make informed decisions. )
Documentation and Installation instructions are at
Feed back and suggestions are welcome and encouraged. Big thanks to my
employer ( www.wwidea.org ) for allowing this code to be released to the
community under the MIT License.