foo' and similar input, includin...">
All geek questions in one place

XSS Protection in Sinatra App

For html = '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" />' and similar input, including javascript, will something like this ( Sanitize.clean(@post.content) # => 'foo' ) cover all databases so that users do not insert javascript and html into the database?

Should I take extra steps to disinfect user input?

+4
source share
1 answer

You can use the ERB :: Util html_escape (alias as shorter h )

See: http://ruby-doc.org/stdlib-1.9.3/libdoc/erb/rdoc/ERB/Util.html#method-ch

Note: Copied from a comment by Mladen as a response from the wiki community

+1
source

Source: https://habr.com/ru/post/1403196/

More articles:


All Articles