We have been using xss_sanitize, which is nicely bundled plugin. You drop it in your Rails application and rest the plugin takes care of protecting from XSS attacks. In our project, we found issues dealing with other special characters like -> microsoft single-double quotes, asterisk, percentage, tilda, angular brackets, question mark etc.
These characters cause extra pain to handle when they appear in urls. You have to encode/decode them. Rolled out a simple but effective plugin. It does nothing but puts an extra layer of sanitization on top of xss_terminate. Yes it is independent of xss_terminate and you can just use it.
Check the project page for usage.
No comments:
Post a Comment