I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates.
It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don’t have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I
Possibilities:
1) Autocomplete has an option to sanitize I don’t know about
2) There is an easy way to do this in jQuery I don’t know about
3) There is an easy way to do this in a Rails controller I don’t know about (where I can’t use the h method)
4) Disallow < symbol in the model
Sugestions?
Do you control the JSON being fed to the plugin? If so, your best bet would be to properly escape the data prior its encoding into JSON by using
CGI::escapeHTML.This way, your data will be sanitized and you won’t have to worry about XSS.