#109 new
Mike Dvorkin

XSS & SQL Sanitation

Reported by Mike Dvorkin | October 4th, 2009 @ 09:45 PM | in Feature Requests

From alexp: I thought it would be nice to getting some security basics in place before the project gets any bigger so as to make sure that all pages are safe and stopping XSS / injections it would be nice to make sure that the form values are cleaned and sanitized before entry into the db and in display.

Naturally so far there isnt much in the way of protection so we should enforce this server and client side h on all elements for display and striping javascript from inputted forms, and also preventing sql injection. Not sure if you have some code in place elsewhere but would be able to help compile something!

Comments and changes to this ticket

  • AlexP

    AlexP October 11th, 2009 @ 03:26 PM

    • Tag changed from infrastructure to security


    1.Ensure that xss attacks/javascript are removed from all input data prior to db entry


    use white_list & sanitize_params plugins,

    Add to envionment.rb

    config.plugins = [:white_list, :sanitize_params, :all]

    then add in application_controller.rb

    before_filter :sanitize_params

    2.Ensure further validations for each model,

    validates_ inclusion_of, length, format_of etc for all fields,
    create e.g AccountValidations module + corresponding messages to be more descriptive

    3.Move to rails 2.3.4, vulnerability in version 2.3.2, detailed issue with http://weblog.rubyonrails.org/2009/9/4/xss-vulnerability-in-ruby-on..., and other posts, relating to unicode XSS injections, patches are available for 2.3.2, unless using ruby 1.9

  • Rit Li
  • Mike Dvorkin

    Mike Dvorkin January 12th, 2010 @ 08:40 PM

    • Milestone changed from 0.9.7 "Steinitz" to Feature Requests
  • Rearts zbaerves

    Rearts zbaerves January 14th, 2022 @ 07:13 AM

    Here in this article we are going to cover XSS (Cross Site Scripting) and SQL injection. I will be talking about these from an SQL perspective but XSS could be the same. I will go through the whole online assignment writing services process of input sanitization and output cleansing, so if you would like some code to paste into your program or a real world example then here it is.

Please Sign in or create a free account to add a new ticket.

With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.

New-ticket Create new ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป

Ruby on Rails CRM platform for Web 2.0 and beyond

People watching this ticket