How to write when you want to keep line breaks and output while avoiding XSS in Rails

Output the following strings including Script tags in various ways and compare the differences.

@hoge


<script>
  alert('you are an idiot');
</script>

Output as it is

erb


<%= @hoge %>

output


<script> alert('you are an idiot'); </script>

result

XSS can be avoided, but line breaks and spaces are not reflected

html_safe

erb


<%= @hoge.html_safe %>

output


Script is executed!

result

Induces XSS. Despite its name, html_safe is not safe at all.

simple_format(@hoge, sanitize: true)

erb


<%= simple_format(@hoge, sanitize: true) %>

output


alert('you are an idiot');

result

The script tag is erased

h(@hoge)

erb


<%= h(@hoge) %>

output


<script> alert('you are an idiot'); </script>

result

XSS can be avoided, but line breaks and spaces are not reflected

simple_format(h(@hoge))

erb


<%= simple_format(h(@hoge)) %>

output


<script>
alert('you are an idiot');
</script>

result

XSS does not occur. The script tag is escaped and the line breaks are retained. Only the space after the line break is not reflected.

Impressions

If you want to reflect line breaks, simple_format (h (@hoge) seems to be good.

Recommended Posts

How to write when you want to keep line breaks and output while avoiding XSS in Rails
When you want to explicitly write OR or AND with ransack
[Rails] How to write in Japanese
How to write in Model class when you want to save binary data in DB with PlayFramework
How to write the view when Vue is introduced in Rails?
How to write when you want to handle "array of C language strings" like argv [] in Ruby-FFI
A trick when you want to insert a lot of line breaks and tabs when substituting a character string
[Java] How to output and write files!
How to display the text entered in text_area in Rails with line breaks
When you want to bind InputStream in JDBI3
[Ruby on Rails] How to write enum in Japanese
How to write Rails
How to write a date comparison search in Rails
When you want to dynamically replace Annotation in Java8
[Ruby + Rails] When you want to register in Mailchimp's mail list together with user registration
How to solve the problem when the value is not sent when the form is disabled in rails and sent
How to specify character code and line feed code in JAXB
[Rails] How to define macros in Rspec and standardize processing
How to set character code and line feed code in Eclipse
[Rails] Differences between redirect_to and render methods and how to output render methods
How to write and notes when migrating from VB to JAVA
docker-compose.yml when you want to keep mysql running with docker
[Rails5] japanMap link How to write parameters in js.erb file
Things to keep in mind when using Sidekiq with Rails
[Rails] How to write user_id (foreign key) in strong parameter
How to write Rails validation
How to write Rails seed
How to write Rails routing
[For super beginners] The minimum knowledge you want to keep in mind with hashes and symbols
Method definition location Summary of how to check When defined in the project and Rails / Gem
How to allow annotations to set members you don't want to output when recursively string serializing an object
[Rails / Routing] How to refer to the controller in the directory you created
ProxyFactory is convenient when you want to test AOP in Spring!
[Webpacker] Summary of how to install Bootstrap and jQuery in Rails 6.0
How to output the value when there is an array in the array
How to write ruby if in one line Summary by beginner
[jOOQ] How to CASE WHEN in the WHERE / AND / OR clause
How to delete large amounts of data in Rails and concerns
[Reading impression] "How to learn Rails, how to write a book, and how to teach"
Rails on Tiles (how to write)
[Rails] How to write exception handling?
How to introduce jQuery in Rails 6
How to install Swiper in Rails
When you want Rails to disable a session for a specific controller only
Things to keep in mind when combining if statements and logical operators
What to do and how to install when an error occurs in DXRuby 1.4.7
How to implement search functionality in Rails
How to change app name in rails
How to use custom helpers in rails
How to insert a video in Rails
How to use MySQL in Rails tutorial
How to resolve errors when installing Rails 5.1.3
Basic Rails commands you want to learn
[Rails] [Memo] When to add = to <%%> and when not
[rails] How to configure routing in resources
How to implement ranking functionality in Rails
How to use credentials.yml.enc introduced in Rails 5.2
How to write and explain Dockerfile, docker-compose
How to redirect to http-> https when SSL is enabled in Rails × Heroku environment
When you want to notify an error somewhere when using graphql-spring-boot in Spring Boot
Summary of copy and paste commands used when you want to delete the cache in iOS application development anyway