How does one protect themselves against XSS attacks while simultaneously displaying characters as users expect to see them?

Question

Right now I am escaping all user input :

ERB::Util.html_escape_once("Netflix & Chill")
> "Netflix &amp; Chill"

Now all my XSS attack worries are gone. However, my end users would not expect this string.

What is the best practice to both protect myself against XSS attacks yet display common use cases of the ampersand ( & ), as well any what we would expect in urls ( /, ?, &, = )

One hypothesis I've had is that sites like stackoverflow.com probably .unescape encoded characters after they've made their way to the View. But I'm not sure if this is accurate or a common practice.

Exactly where is it rendered incorrectly? The whole point is, it shouldn't be from the user's perspective. For example & would just be an & in the browser. — Gabor Lengyel

dileep nandanam dileep nandanam · Accepted Answer · 2019-07-10T14:40:01

You can use sanitizer

text = %{
  <span class="text"> Netflix & Chill </span>
}
<%= sanitize text, tags: %w(span), attributes: %w(class) %>

Where tags are allowed html tags and attributes are html tag attributes allowed.

How does one protect themselves against XSS attacks while simultaneously displaying characters as users expect to see them?

1 Answers