tags: Security date: 2010-09-27 21:40:57.000000000Z


This week a lot of famous websites like twitter, youtube and even the dead orkut received some XSS attacks.

##But first, what is XSS ? Wikipedia says:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites were roughly 80% of all security vulnerabilities documented by Symantec as of 2007

##How can this little thing bring the caos to your website?

Imagine you have a field, a simple text field, so the user can update his status:

<%= f.text_field :status %>

if you fill with something like that:

<script>alert("Your website sucks!")</script>

In your view you show the status like that:

<%= @user.status %>

If Theres no XSS protection, every time you hit the page, you gonna see the alert:

/lost image/

##How XSS protection works in Rails 3?

By default all your outputs will be escaped, so in the example before you never saw the popup, just the plain text:

<script>alert("Your website sucks!")</script>

And if you want the output to not be escaped you can use:

<%= raw @user.status %>

And then the popup will raise.

This is a short and simple post, but remember to ALWAYS ESCAPE dangerous user text input, this probably will save you a lot of time in the future.