Ask A Question


You’re not receiving notifications from this thread.

Preventing XSS in a Rails app, accepted architecture?

Mark Kadlec asked in Rails

I've read and understand the great ways Rails sanitizes data when going from server to client, but I have a question that I would love to get some guidance/input on.

Recently it was discovered there were a couple of places in our code that took user input (first_name, last_name) and created a javascript popup all on the client. You can see the issue where a user could potentially provide a name of <script>hello()</script>

Some developers are now discussing sanitizing all data and fields on form input, but I feel this is complete overkill since the problem is that we have client side vulnerablities with the popups, etc.

Does anyone out there actually sanitize values on form validation? Not only do I feel that this is overkill, it could lead to problems with data changing unexpectantly, etc.

What are your thoughts when architecting field persistance in a Rails app to prevent XSS?

Join the discussion
Create an account Log in

Want to stay up-to-date with Ruby on Rails?

Join 82,969+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.