Sanitizing URL to prevent XSS in Rails

Question

Sanitizing URL to prevent XSS in Rails

In the rails application, users can create events and post a URL to link to an external event site.

How to clear urls to prevent XSS links?

Thanks in advance,

XSS example that cannot be prevented by rail disinfection

@url = "javascript:alert('XSS')" <a href="<%=sanitize @url%>">test link</a>

+6

ruby ruby-on-rails xss

rickypai Mar 09 '12 at 13:31

source share

4 answers

Ben · Answer 1 · 2012-11-28T06:04:14+0000

Try disinfection as soon as href is already in the tag, for example:

 url = "javascript:alert('XSS')" sanitize link_to('xss link', url)

This gives me:

 <a>xss link</a>

Phyo wai win · Answer 2 · 2012-03-09T14:08:35+0000

You can use the Rails sanitize method for some basic restrictions.

Or you can use rgrove sanitize gem for more options.

Hope this helps.

Nikolay · Answer 3 · 2013-12-06T00:53:28+0000

sanitize works with html strings, not URLs. this means that you cannot deactivate the url yourself, but you can clear the part of the html that has the link with the malicious url. eg

 <%= sanitize "<a href='#{@url}'>Things</a>" %>

This will clear your link of all known malicious attributes.

Naofumi Kagami · Answer 4 · 2013-11-21T00:39:43+0000

This vulnerability has been fixed since 3.2.13, 3.1.12, 2.3.18.

The following link also contains a patch that you can use in earlier versions.

https://groups.google.com/forum/#!msg/rubyonrails-security/zAAU7vGTPvI/1vZDWXqBuXgJ

Sanitizing URL to prevent XSS in Rails

More articles: