Hi, I’m on Rails 3.2.8 and one of my apps sends some json to create DB
objects. What’s the best way to sanitize json?
I found this post claiming that for json we need to escape manually
since json_escape is broken:
I tried using the sanitize gem (GitHub - rgrove/sanitize: Ruby HTML and CSS sanitizer.) but
when using it on a json string it returns NoMethodError (undefined
method `strip’ for #<ActiveSupport::HashWithIndifferentAccess:…
Later on I generate json that is presented raw in the browser and part
of that json is comming from this initial json so it is vulnerable to
XSS. (soon I’ll try to get if of the need of using raw).
So any general advice how to make sure the json does not contain any
malicious code? Or how to use the sanitize gem with json?
Cheers.