RailsCasts Pro episodes are now free!

Learn more or hide this

XSS Protection in Rails 3

#204 XSS Protection in Rails 3

Mar 08, 2010 | 8 minutes | Views, Security, Rails 3.0
It is easy to be vulnerable to cross site scripting attacks in earlier versions of Rails, but Rails 3 solves this by automatically escaping unsafe input.
Click to Play Video ▶
  • Download:
  • source codeProject Files in Zip (156 KB)
  • mp4Full Size H.264 Video (11.8 MB)
  • m4vSmaller H.264 Video (8.63 MB)
  • webmFull Size VP8 Video (21 MB)
  • ogvFull Size Theora Video (15.1 MB)
Browse_code Browse Source Code

Resources

Update: as Santiago pointed out in the comments, it looks like XSS protection has been back-ported to Rails 2.3 and will be available in Rails 2.3.6.

views/comments/_comment.html.erb 
<div class="comment">
  <%= strong link_to(comment.name, comment.url) %>
  <p><%= comment.content %></p>
</div>
ruby 
# rails c
"foo".html_safe?
safe = "safe".html_safe
safe.html_safe?
application_helper.rb 
def strong(content)
  "<strong>#{h(content)}</strong>".html_safe
end