awkward silence » rails http://tom.wilcoxen.org Fri, 19 Mar 2010 21:39:36 +0000 en hourly 1 http://wordpress.org/?v=3.0 Preventing XSS from entering your database http://tom.wilcoxen.org/2007/06/08/preventing-xss-from-entering-your-database/ http://tom.wilcoxen.org/2007/06/08/preventing-xss-from-entering-your-database/#comments Fri, 08 Jun 2007 21:54:38 +0000 Tom railsrails xss securityUncategorized http://tom.wilcoxen.org/2007/06/08/preventing-xss-from-entering-your-database/ I had all of our data being html-escaped as it was rendered to the page, but the problem is that other systems interact with ours — we send data to web analytics systems and to SalesForce.com. In that case you can’t count on escaping entities on display — you need to catch it on the way into your database.

I found a few sites with some fixes, though most were still focused on cleaning the data on display. I ended up taking Rick’s plugin and applying it at save time in the model object. I’m not sure it’s the cleanest — I’d almost certainly say there is a more elegant way to do this — but this was quick and works great.

It’s still basically designed to be used at output time:

<%= white_list @article.body %>

But instead I include the helper directly to a model and overwrite the attribute setters:


class Contact < ActiveRecord::Base

include WhiteListHelper

def name=(text) write_attribute(:name, white_list(text)) end

end

I tried setting up a before_filter and stepping through the param[] object, but my data was fairly simple and the above was dead easy.

, , ]]> http://tom.wilcoxen.org/2007/06/08/preventing-xss-from-entering-your-database/feed/ 0