RoR 3 automagically sanitizes ERB templates (when done correctly). However, I’ve got a little project where I’m using RoR for the application tier only and javascript for the presentation. So, typical request is ajax call to rails route and render returned json. Issue is it is currently possible for me to inject js, create a new product with title <script>alert('hello')</script> and this is returned as is on the next request and the browser happily interprets the script.
Is it best to
- sanitize the inputs on post?
- sanitize the json response on the server? (override to_json?)
- sanitize the json response on the client?
I appreciate any input.
You should encode HTML entities on the content client-side as you’re appending data to the page.
The question is, do your other product fields intentionally contain markup like links or paragraph tags that will also be encoded? If this is the case, and you intend to render some parts of the json response as HTML on the page, then you should be sanitizing your input at the point when new products are created, and limited the HTML tags you allow to a specific subset, and then scrubbing away their attributes. There are libraries to automate this process, like the sanitize gem.