Fix for XSS problems wih in_place_edit

Sep 20th, 2006

Comments: 0
Category: Ruby On Rails

Fix for XSS problems wih in_place_edit

In_place_edit_for with validation and sanitization
I’ve started having a look at my little rails app. I’m writing with a security persons hat on and one of the problems I’ve run into is that you can’t by default use the h() function with an in place edit control. So this link has a solution for that…
One quirk seemed to be when I put in the XSS code </span><script>alert(“xss”)</script><span> using in_place_edit it escapes it ok, but then each time I click into the field and then click ok it re-escapces the contents, giving an ever expanding field…
still main thing is it gets rid of the xss problem (well from a security point of view anyway)

Add a comment

Your email address will not be shared or published. Required fields are marked *