-
Notifications
You must be signed in to change notification settings - Fork 382
Security Warning
apneadiving edited this page Jun 1, 2011
·
4 revisions
**Warning
When you use infowindows or lists etc...
When you do these kind of things:
def gmaps4rails_infowindow
"<h1>It's user's summary: #{summary}</h1>"
end
Be aware that because infowindow contains html, I use raw to render it properly behind the scene.
So, if ever you have this in database:
summary = <script type='text/javascript' charset='utf-8'> alert('XSS!!!!');</script>
The script wil be executed on your page (and the map will fail to display...).
As usual, beware when you trust the user...
** Ok... but what can I do?
You can filter the variables as you like, that's really your choice.
The quickest way to get rid of this problem is the following:
def gmaps4rails_infowindow
ERB::Util.html_escape "#{summary}"
end