views:

135

answers:

1

I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates.

It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I

Possibilities:

1) Autocomplete has an option to sanitize I don't know about

2) There is an easy way to do this in jQuery I don't know about

3) There is an easy way to do this in a Rails controller I don't know about (where I can't use the h method)

4) Disallow < symbol in the model

Sugestions?

+1  A: 

Do you control the JSON being fed to the plugin? If so, your best bet would be to properly escape the data prior its encoding into JSON by using CGI::escapeHTML.

This way, your data will be sanitized and you won't have to worry about XSS.

Andrew Moore
I do, but the standard way to sanitize it is the Rails h method, which is unavailable in a controller.
theschmitzer
@theschmitzer: use `CGI::escapeHTML()`
Andrew Moore
Perfect, thanks
theschmitzer