You’re not receiving notifications from this thread.
[Vue/Rails] Rich Text Editor - Possible XSS and how to safeguard?
So I'm working on an app where the Admin dashboard is built on Vue and backend is Rails. There are parts where the Admin can update some Rich Text content, and it will be rendered by Rails. But in doing so, I think there's a possibility that the Rich Text data will introduce some XSS vulnerability considering when Rails render it, it will render with the html markup. I know Rails has some view helpers to sanitize output, but I think it's not a good enough solution because it requires every single developer to remember to do that, which is very prone to human error.
What are some ways to prevent these XSS issues, and if possible, when you guys explain, can you go a little bit more in-depth with your suggestion explanations in each step? Solving this issue aside, I think it's one side of development that's quite interesting and I just generally want to learn more about this
Rails always sanitizes rendering HTML by default, so it should be fine. Rendering ActionText content is also sanitized and you can use the
sanitize helper anytime you want to be sure it gets sanitized.
You just do not want to ever use
raw which will introduce XSS vulnerabilities because it will not escape content if you use them.