I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates.
It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I
Possibilities:
1) Autocomplete has an option to sanitize I don't know about
2) There is an easy way to do this in jQuery I don't know about
3) There is an easy way to do this in a Rails controller I don't know about (where I can't use the h method)
4) Disallow < symbol in the model
Sugestions?