Sanitize in Rails

Tram Ho

Cross-site attacks in apps are very common and cause apps to respond incorrectly if not handled. Preventing XSS in an application is essential from a security perspective. And yes, who wants to be attacked by annoying requests and pop-ups ?! Some of the common XSS attacks should be handled as follows

All of the above XSS attacks when you show the alert alert or the confirmation popup automatically click yes and run the script before you even know it. And this is really annoying!

So, how to prevent these XSS attacks in the application? In Rails, this is pretty easy. The first and foremost thing we have to do is sanitize the parameters. And to do so, we need the sanitizer module to do this with different types of parameters. You can see the module just to sanitize any type of parameter – object, array, or file. You can use them with a simple function and pass all ActionController parameters and sanitize them.

This module can sanitize the parameters, but there are some cases where we want to keep &, <,> as in the timezone name. For that, unfortunately we have to save it as allowed parameters and save them after sanitize the parameters. To display sanitized text, you can use sanitize_text for texts where you don’t have to display <> and & if not, you can use steracy_text to display them in the view. So now you can sanitize both parameters and views in Rails with a simple parametric sanitize module.

Share the news now

Source : Viblo