I want to use the sanitize method other than View.

We conducted a security diagnosis of the application currently under development, but found a vulnerability called XSS (Cross-Site Scripting) and decided to address it. It seems to be too obvious knowledge for a web developer, but it was the first time for me to deal with it, so it was quite difficult. I've had some stumbling blocks, so I'll write one of them this time.

What you want to achieve

https://qiita.com/kamohicokamo/items/571c58f2d6738a7dfe6a With reference to this article, I would like to sanitize the data for XSS countermeasures.

Example:

haml:name.html.haml


'Yamada Taro<script>alert("Yamada Taroです")</script>'

If you display it as it is, スクリーンショット 2020-10-12 1.19.46.png

The embedded JavaScript is executed. This is bad for security.

= sanitize 'Yamada Taro<script>alert("Yamada Taroです")</script>'

With this sanitize,

スクリーンショット 2020-10-12 1.19.28.png

In this way the script tag is removed and it becomes just text.

However

You may bother to write sanitize in View, but I want to disable it when a character string containing html tags is input.

However, since this sanitize method is a helper method, it is difficult to use except for View ...

Method

I made a method like this.

model


def remove_script_tag(str)
  ActionController::Base.helpers.sanitize(str)
end

If you use this method well with before_validation or before_save, you should be able to invalidate even if a malicious script is sent as a string.

environment

ruby 2.6.6 rails 6.0.3.2

Recommended Posts

I want to use the sanitize method other than View.
When you want to use the method outside
I want to call the main method using reflection
[Rough commentary] I want to marry the pluck method
How to use the link_to method
How to use the include? method
How to use the form_with method
I want to use screen sharing on the login screen on Ubuntu 18
I want to use FormObject well
I want to expand the clickable part of the link_to method
I want to call a method and count the number
I tried to explain the method
I want to use the Java 8 DateTime API slowly (now)
[Rails] How to use the map method
I want to use DBViewer with Eclipse 2018-12! !!
[Java] How to use the toString () method
I wanted to add @VisibleForTesting to the method
I was addicted to the roll method
I want to use @Autowired in Servlet
I want to write JSP in Emacs more easily than the default.
Use the permutation method to make all the default users follow each other
I want to pass the argument of Annotation and the argument of the calling method to aspect
I want you to use Enum # name () for the Key of SharedPreference
I want to output the day of the week
I want to use arrow notation in Ruby
[Ruby] I want to do a method jump!
I want to var_dump the contents of the intent
Output of how to use the slice method
How to use the replace () method (Java Silver)
I want to truncate after the decimal point
[Rails + Webpacker] I want to use images of assets! Until you can view the image in Vue.js
I want to get the value in Ruby
[Ruby basics] How to use the slice method
You may not want to use the remove method in ArrayList very often
I want you to use Scala as Better Java for the time being
[Eclipse] I want to use the completion function, but I want to manage to confirm the completion with spaces.
I want to use Combine in UIKit as well.
I want to use Clojure's convenient functions in Kotlin
I want to call a method of another class
[Java] I want to calculate the difference from the date
I want to use NetBeans on Mac → I can use it!
I want to embed any TraceId in the log
Pointcut Expression I want to specify more than one
I want to use fish shell in Laradock too! !!
I want to use ES2015 in Java too! → (´ ・ ω ・ `)
I want to use a little icon in Rails
I want to know the answer of the rock-paper-scissors app
I want to display the name of the poster of the comment
I want to dark mode with the SWT app
[Android Studio] I want to use Maven library on Android
I want to be aware of the contents of variables!
I want to return the scroll position of UITableView!
I want to simplify the log output on Android
I want to add a delete function to the comment function
Rspec: I want to test the post-execution state when I set a method on subject
Rails The concept of view componentization of Rails that I want to convey to those who want to quit
I want to read the property file with a file name other than application.yml or application- [profile name] .yml with Spring Boot.
How to use the getter / setter method (in object orientation)
I want to set the conditions to be displayed in collection_check_boxes
[Rails] [bootstrap] I want to change the font size responsively
(´-`) .. oO (I want to easily find the standard output "Hello".