[RUBY] How to write when you want to keep line breaks and output while avoiding XSS in Rails

Output the following strings including Script tags in various ways and compare the differences.

`@hoge`


<script>
  alert('you are an idiot');
</script>

Output as it is

`erb`


<%= @hoge %>

`output`


<script> alert('you are an idiot'); </script>

result

XSS can be avoided, but line breaks and spaces are not reflected

html_safe

`erb`


<%= @hoge.html_safe %>

`output`


Script is executed!

result

Induces XSS. Despite its name, html_safe is not safe at all.

simple_format(@hoge, sanitize: true)

`erb`


<%= simple_format(@hoge, sanitize: true) %>

`output`


alert('you are an idiot');

result

The script tag is erased

h(@hoge)

`erb`


<%= h(@hoge) %>

`output`


<script> alert('you are an idiot'); </script>

result

XSS can be avoided, but line breaks and spaces are not reflected

simple_format(h(@hoge))

`erb`


<%= simple_format(h(@hoge)) %>

`output`


<script>
alert('you are an idiot');
</script>

result

XSS does not occur. The script tag is escaped and the line breaks are retained. Only the space after the line break is not reflected.

Impressions

If you want to reflect line breaks, simple_format (h (@hoge) seems to be good.

Recommended Posts

How to write when you want to keep line breaks and output while avoiding XSS in Rails

When you want to explicitly write OR or AND with ransack

[Rails] How to write in Japanese

How to write in Model class when you want to save binary data in DB with PlayFramework

How to write the view when Vue is introduced in Rails?

How to write when you want to handle "array of C language strings" like argv [] in Ruby-FFI

A trick when you want to insert a lot of line breaks and tabs when substituting a character string

[Java] How to output and write files!

How to display the text entered in text_area in Rails with line breaks

When you want to bind InputStream in JDBI3

[Ruby on Rails] How to write enum in Japanese

How to write Rails

How to write a date comparison search in Rails

When you want to dynamically replace Annotation in Java8

[Ruby + Rails] When you want to register in Mailchimp's mail list together with user registration

How to solve the problem when the value is not sent when the form is disabled in rails and sent

How to specify character code and line feed code in JAXB

[Rails] How to define macros in Rspec and standardize processing

How to set character code and line feed code in Eclipse

[Rails] Differences between redirect_to and render methods and how to output render methods

How to write and notes when migrating from VB to JAVA

docker-compose.yml when you want to keep mysql running with docker

[Rails5] japanMap link How to write parameters in js.erb file

Things to keep in mind when using Sidekiq with Rails

[Rails] How to write user_id (foreign key) in strong parameter

How to write Rails validation

How to write Rails seed

How to write Rails routing

[For super beginners] The minimum knowledge you want to keep in mind with hashes and symbols

Method definition location Summary of how to check When defined in the project and Rails / Gem

How to allow annotations to set members you don't want to output when recursively string serializing an object

[Rails / Routing] How to refer to the controller in the directory you created

ProxyFactory is convenient when you want to test AOP in Spring!

[Webpacker] Summary of how to install Bootstrap and jQuery in Rails 6.0

How to output the value when there is an array in the array

How to write ruby if in one line Summary by beginner

[jOOQ] How to CASE WHEN in the WHERE / AND / OR clause

How to delete large amounts of data in Rails and concerns

[Reading impression] "How to learn Rails, how to write a book, and how to teach"

Rails on Tiles (how to write)

[Rails] How to write exception handling?

How to introduce jQuery in Rails 6

How to install Swiper in Rails

When you want Rails to disable a session for a specific controller only

Things to keep in mind when combining if statements and logical operators

What to do and how to install when an error occurs in DXRuby 1.4.7

How to implement search functionality in Rails

How to change app name in rails

How to use custom helpers in rails

How to insert a video in Rails

How to use MySQL in Rails tutorial

How to resolve errors when installing Rails 5.1.3

Basic Rails commands you want to learn

[Rails] [Memo] When to add = to <%%> and when not

[rails] How to configure routing in resources

How to implement ranking functionality in Rails

How to use credentials.yml.enc introduced in Rails 5.2

How to write and explain Dockerfile, docker-compose

How to redirect to http-> https when SSL is enabled in Rails × Heroku environment

When you want to notify an error somewhere when using graphql-spring-boot in Spring Boot

Summary of copy and paste commands used when you want to delete the cache in iOS application development anyway