-
Notifications
You must be signed in to change notification settings - Fork 383
Security Warning
apneadiving edited this page Jun 2, 2011
·
4 revisions
When you use infowindows or lists etc...
When you do these kind of things:
def gmaps4rails_infowindow
"<h1>It's user's summary: #{summary}</h1>"
end
Be aware that because infowindow contains html, I use raw to render it properly behind the scene.
So, if ever you have this in database:
summary = <script type='text/javascript' charset='utf-8'> alert('XSS!!!!');</script>
The script wil be executed on your page.
As usual, beware when you trust the user...
You can filter the variables as you like, that's really your choice.
The quickest way to get rid of this problem is the following:
def gmaps4rails_infowindow
"<h1>It's user's summary: #{ERB::Util.html_escape summary}</h1>"
end
Or:
def gmaps4rails_infowindow
"<h1>It's user's summary: #{ERB::Util.json_escape summary}</h1>"
end