tags:

views:

168

answers:

2
Q: 

Ruby on Rails Mysterious Javascript Alert box with cookie information

I have a problem in a Ruby on Rails app that I am working on. I have been working on the app for months and I have never had this problem before and after a bit of Google searches I think that somehow someone is trying to steal cookies with javascript.

When I click on the link I get an alert box titled "the page at www.napkinboard.com says:" and contains the following message:

__utmz=217223433.1270652009.59.3.utmcsr=localhost:3000|utmccn=(referral)|utmcmd=referral|utmcct=/; __utma=217223433.2133018314.1265749085.1271097412.1271125626.63; __utmc=217223433; __utmb=217223433.11.10.1271125626

I checked the database and all data associated with this 'food_item' looks completely normal and does not contain any javascript at all.

How did this suddenly happen and how can I stop it? I appreciate any help. Thanks.

EDIT: Can't believe I forgot the URL: http://www.napkinboard.com/food_items/413

+1  A: 

It sounds like you've found a link that exploits an XSS vulnerability using the query string.

Make sure to properly escape all of your output.

SLaks  2010-04-13 02:44:07
I just edited the post to include the url that I ridiculously forgot to include: http://www.napkinboard.com/food_items/413.I definitely need to make sure to escape all of my output, but there is no query string in this URL right? So I don't know if that can be the issue here. I have clicked on this link before and the alert box did not arise.
conorgil  2010-04-13 03:03:51
I have discovered that a user entered their comment as "<script>alert(document.cookie);</script>" so you are absolutely correct. I print comments with: <%=h @napkin.comment %> so shouldn't the output be properly escaped?
conorgil  2010-04-13 04:04:50
A: 

load up firefox and firebug, and see what the javascript and network stack trace show. That should give you an idea of where it's coming from, etc.

dhoss  2010-04-13 02:46:34

related questions

Is there a rake task for backing up the data in your database?
How to represent cross-model information in MVC?
WYSIWYG editor gem for Rails?
Best Solution For Authentication in Ruby on Rails
Acts-as-readable Rails plugin Issue
Associating source and search keywords with account creation
Any tips on getting Rails to run with an Access back-end?
Being as DRY as possible in a Ruby on Rails App
How Do You Secure database.yml?
What IDE to use for developing in Ruby on Rails on windows?
Is Ruby On Rails ready for the Enterprise?
OpenID authentication in Ruby on Rails
Why Doesn't My Cron Job Work Properly?
Why does sqlite3-ruby-1.2.2 not work on OS X?
Ruby mixins and calling super methods
Why all the Active Record hate?
Haml: how do I set a dymanic class value?
Learning Ruby on Rails any good for Grails?
How to sell Python to a client/boss/person with lots of cash
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Ruby On Rails with Windows Vista - Best Setup?
What is good forum software to add to an existing Rails application?
How do I fix 'Unprocessed view path found' error with ExceptionNotifier plugin in rails 2.1?
Frequent SystemExit in Ruby when making HTTP calls
Implementation of "Remember me" in a Rails application.