Secuiyrt issue in App

Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
“” javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks,
Tushar

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

ushar Gandhi wrote:

Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
“” javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks,
Tushar

On 5 April 2010 11:29, Charanya N. [email protected] wrote:

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

Any user entered data that you display should be escaped in this
way. You are lucky that no-one with more malicious intentions has
found the hole in your system.

I strongly suggest that you study the guide on securing rails
applications at http://guides.rubyonrails.org/. There may be other
more serious holes in your app.

Colin

Charanya N. wrote:

use
<%= h @user.information %>
This will escape angle brackets and therefore neutralize any embedded
JavaScript

ushar Gandhi wrote:

Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
“” javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?

Thanks,
Tushar

Thanks a lot.
It is working fine.

Yes, you can escape user data. But you also should not allow the
original
request (with the “Hack”) to complete. Try to use mod_security in your
apache installation!

2010/4/5 Tushar G. [email protected]

are showing it on browser. Some of users has added

http://groups.google.com/group/rubyonrails-talk?hl=en.


Mário Sérgio Coelho Marroquim
http://blogdomario.wordpress.com
http://www.muraldeideias.com.br
http://www.credishop.com.br

On Mon, Apr 5, 2010 at 5:29 AM, Mario Sergio Coelho Marroquim
[email protected] wrote:

Yes, you can escape user data. But you also should not allow the original
request (with the “Hack”) to complete. Try to use mod_security in your
apache installation!

Is there a non-Apache-httpd equivalent?


Hassan S. ------------------------ [email protected]
twitter: @hassan

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs