WARNING TYPES
Cross Site Scripting (Content Tag)
Cross site scripting (or XSS) is #2 on the 2010 OWASP Top Ten web security risks and it pops up nearly everywhere. XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.
content_tag is a view helper which generates an HTML tag with some content:
>> content_tag :p, "Hi!"
=> "<p>Hi!</p>"
In Rails 2, this content is unescaped (although attribute values are escaped):
>> content_tag :p, "<script>alert(1)</script>"
=> "<p><script>alert(1)</script></p>"
In Rails 3, the content is escaped. However, only the content and the tag attribute values are escaped. The tag and attribute names are never escaped in Rails 2 or 3.
This is more dangerous than a typical method call because content_tag
marks its output as “HTML safe”, meaning the rails_xss
plugin and Rails 3 auto-escaping will not escape its output. Due to this, content_tag
should be used carefully if user input is provided as an argument.
Note that while content_tag
does have an escape
parameter, this only applies to tag attribute values and is true by default.
Back to Warning Types