All threads / [Vue/Rails] Rich Text Editor - Possible XSS and how to safeguard?

Ask A Question

Notifications

You’re not receiving notifications from this thread.

[Vue/Rails] Rich Text Editor - Possible XSS and how to safeguard?

Yi Mei Wang asked in General

So I'm working on an app where the Admin dashboard is built on Vue and backend is Rails. There are parts where the Admin can update some Rich Text content, and it will be rendered by Rails. But in doing so, I think there's a possibility that the Rich Text data will introduce some XSS vulnerability considering when Rails render it, it will render with the html markup. I know Rails has some view helpers to sanitize output, but I think it's not a good enough solution because it requires every single developer to remember to do that, which is very prone to human error.

What are some ways to prevent these XSS issues, and if possible, when you guys explain, can you go a little bit more in-depth with your suggestion explanations in each step? Solving this issue aside, I think it's one side of development that's quite interesting and I just generally want to learn more about this

Rails always sanitizes rendering HTML by default, so it should be fine. Rendering ActionText content is also sanitized and you can use the sanitize helper anytime you want to be sure it gets sanitized.

You just do not want to ever use html_safe or raw which will introduce XSS vulnerabilities because it will not escape content if you use them.

Join the discussion

Want to stay up-to-date with Ruby on Rails?

Join 37,629+ developers who get early access to new tutorials, screencasts, articles, and more.

    We care about the protection of your data. Read our Privacy Policy.

    logo Created with Sketch.

    Ruby on Rails tutorials, guides, and screencasts for web developers learning Ruby, Rails, Javascript, Turbolinks, Stimulus.js, Vue.js, and more. Icons by Icons8

    © 2020 GoRails, LLC. All rights reserved.