Home/ Questions/Q 7014445
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T22:31:18+00:00

What is the best way to sanitize an attribute value in rails? The code

  • 0

What is the best way to sanitize an attribute value in rails? The code looks something like this:

<img alt="<%= h 'untrusted-data' %>" src="image-source-here" />

I am specifically concerned about Rule #2 and Rule #3 given on owasp.net XSS prevention cheat sheet.

  1. Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  2. JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

Is html_escape method enough for the purpose? For some reason I cant use the tag method provided by TagHelper here. Using Rails 2.3.5 version.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Yes, it’s good enough. (with another ” though but I guess it’s a typo 🙂

    <img alt="<%=h untrusted %>" src="img.png" />

    h will prevent untrusted to contain " and replace it by &quot; so that the attacker will be unable to go out of the alt attribute. Moreover, she will also be unable to exploit something by the alt attribute as no parsing is done in it.

    For example, it would be different if it was in a a‘s href attribute, in which case the attacker would have been able to run some javascript code when clicked even without be able to go out of the attribute. (like javascript:alert(/XSSed/);)

    • 0