Hi,
I am facing a following problem:-
I have app in which user can edit his/her personal information and we
are showing it on browser. Some of users has added
"<script>alert(''Hack'');</script>"
javascript in name textbox. Due to
this whenever I am showing name on browser it is executing the script
and giving javascript alert.
Can anyone tell me how to fix this? Is there any plugin avaliable?
Thanks,
Tushar
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.
use <%= h @user.information %> This will escape angle brackets and therefore neutralize any embedded JavaScript ushar Gandhi wrote:> Hi, > I am facing a following problem:- > I have app in which user can edit his/her personal information and we > are showing it on browser. Some of users has added > "<script>alert(''Hack'');</script>" javascript in name textbox. Due to > this whenever I am showing name on browser it is executing the script > and giving javascript alert. > Can anyone tell me how to fix this? Is there any plugin avaliable? > > Thanks, > Tushar-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 5 April 2010 11:29, Charanya Nagarajan <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> use > <%= h @user.information %> > This will escape angle brackets and therefore neutralize any embedded > JavaScript_Any_ user entered data that you display should be escaped in this way. You are lucky that no-one with more malicious intentions has found the hole in your system. I strongly suggest that you study the guide on securing rails applications at http://guides.rubyonrails.org/. There may be other more serious holes in your app. Colin> > ushar Gandhi wrote: >> Hi, >> I am facing a following problem:- >> I have app in which user can edit his/her personal information and we >> are showing it on browser. Some of users has added >> "<script>alert(''Hack'');</script>" javascript in name textbox. Due to >> this whenever I am showing name on browser it is executing the script >> and giving javascript alert. >> Can anyone tell me how to fix this? Is there any plugin avaliable? >> >> Thanks, >> Tushar > > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Charanya Nagarajan wrote:> use > <%= h @user.information %> > This will escape angle brackets and therefore neutralize any embedded > JavaScript > > ushar Gandhi wrote: >> Hi, >> I am facing a following problem:- >> I have app in which user can edit his/her personal information and we >> are showing it on browser. Some of users has added >> "<script>alert(''Hack'');</script>" javascript in name textbox. Due to >> this whenever I am showing name on browser it is executing the script >> and giving javascript alert. >> Can anyone tell me how to fix this? Is there any plugin avaliable? >> >> Thanks, >> TusharThanks a lot. It is working fine. -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Yes, you can escape user data. But you also should not allow the original request (with the "Hack") to complete. Try to use mod_security in your apache installation! 2010/4/5 Tushar Gandhi <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org>> Charanya Nagarajan wrote: > > use > > <%= h @user.information %> > > This will escape angle brackets and therefore neutralize any embedded > > JavaScript > > > > ushar Gandhi wrote: > >> Hi, > >> I am facing a following problem:- > >> I have app in which user can edit his/her personal information and we > >> are showing it on browser. Some of users has added > >> "<script>alert(''Hack'');</script>" javascript in name textbox. Due to > >> this whenever I am showing name on browser it is executing the script > >> and giving javascript alert. > >> Can anyone tell me how to fix this? Is there any plugin avaliable? > >> > >> Thanks, > >> Tushar > > Thanks a lot. > It is working fine. > -- > Posted via http://www.ruby-forum.com/. > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org> > . > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk?hl=en. > >-- Mário Sérgio Coelho Marroquim http://blogdomario.wordpress.com http://www.muraldeideias.com.br http://www.credishop.com.br -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Mon, Apr 5, 2010 at 5:29 AM, Mario Sergio Coelho Marroquim <mariomarroquim-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> Yes, you can escape user data. But you also should not allow the original > request (with the "Hack") to complete. Try to use mod_security in your > apache installation!Is there a non-Apache-httpd equivalent? -- Hassan Schroeder ------------------------ hassan.schroeder-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org twitter: @hassan -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.