Skip to main content
Ask A Question
You’re not receiving notifications from this thread.

[Vue/Rails] Rich Text Editor - Possible XSS and how to safeguard?

General • Asked by Yi Mei Wang

So I'm working on an app where the Admin dashboard is built on Vue and backend is Rails. There are parts where the Admin can update some Rich Text content, and it will be rendered by Rails. But in doing so, I think there's a possibility that the Rich Text data will introduce some XSS vulnerability considering when Rails render it, it will render with the html markup. I know Rails has some view helpers to sanitize output, but I think it's not a good enough solution because it requires every single developer to remember to do that, which is very prone to human error.

What are some ways to prevent these XSS issues, and if possible, when you guys explain, can you go a little bit more in-depth with your suggestion explanations in each step? Solving this issue aside, I think it's one side of development that's quite interesting and I just generally want to learn more about this

Rails always sanitizes rendering HTML by default, so it should be fine. Rendering ActionText content is also sanitized and you can use the sanitize helper anytime you want to be sure it gets sanitized.

You just do not want to ever use html_safe or raw which will introduce XSS vulnerabilities because it will not escape content if you use them.

Login or Create An Account to join the conversation.

Subscribe to the newsletter

Join 31,152+ developers who get early access to new screencasts, articles, guides, updates, and more.

    By clicking this button, you agree to the GoRails Terms of Service and Privacy Policy.

    More of a social being? We're also on Twitter and YouTube.