views:

168

answers:

2

I have a problem in a Ruby on Rails app that I am working on. I have been working on the app for months and I have never had this problem before and after a bit of Google searches I think that somehow someone is trying to steal cookies with javascript.

When I click on the link I get an alert box titled "the page at www.napkinboard.com says:" and contains the following message:

__utmz=217223433.1270652009.59.3.utmcsr=localhost:3000|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=217223433.2133018314.1265749085.1271097412.1271125626.63; __utmc=217223433; __utmb=217223433.11.10.1271125626

I checked the database and all data associated with this 'food_item' looks completely normal and does not contain any javascript at all.

How did this suddenly happen and how can I stop it? I appreciate any help. Thanks.

EDIT: Can't believe I forgot the URL: http://www.napkinboard.com/food_items/413

+1  A: 

It sounds like you've found a link that exploits an XSS vulnerability using the query string.

Make sure to properly escape all of your output.

SLaks
I just edited the post to include the url that I ridiculously forgot to include: http://www.napkinboard.com/food_items/413.I definitely need to make sure to escape all of my output, but there is no query string in this URL right? So I don't know if that can be the issue here. I have clicked on this link before and the alert box did not arise.
conorgil
I have discovered that a user entered their comment as "<script>alert(document.cookie);</script>" so you are absolutely correct. I print comments with: <%=h @napkin.comment %> so shouldn't the output be properly escaped?
conorgil
A: 

load up firefox and firebug, and see what the javascript and network stack trace show. That should give you an idea of where it's coming from, etc.

dhoss