Is simple_format helper in Rails enough to protect against xss?

2
votes

I read and tested that simple_format allows certain html tags.

Is that safe enough to protect again xss? (assuming I don't mind user will put html to make their text pretty) Could this result in xss? or should I keep with h method?

1
ruby-on-rails-3xsshtml-sanitizing
You can't both use the h method and use simple_format. They're mutually exclusive.meagar♦
I want to sanitize to keep xss away, but I want to also allow certain tags (in particular, keep the line breaks the user inputs).Nick Ginanto
Then use simple_format. As stated in the document, it attempts to sanitize its input.meagar♦
so thats the question.. does it protect against xss?Nick Ginanto
It's the first thing listed in the documentation.meagar♦

1 Answers

1
votes

It looks like there was a vulnerability in rails 4.0.0 and 4.0.1 that has now been resolved, so it should be safe. Here's a link to the issue: https://groups.google.com/forum/#!topic/ruby-security-ann/5ZI1-H5OoIM