I have a rails 3.2 app that interacts with a 3rd party XML API for some data using ActiveResource. We want to ensure against XSS in that 3rd party XML, so we have enabled: ActiveSupport.escape_html_entities_in_json = true This seems to work in for the XML data and converts the < tag in a potentially dangerous script call to < like this:
<script>alert('xss')</script>
(not sure why it only esacpes the lt TBH, but it seems to be by design)
Problem is that when I convert that XML to JSON & send to browser, the browser sees it as unescaped. The string in JSON that is sent to browswr looks like this:
\u003Cscript\u003Ealert('xss')\u003C/script\u003E"
can anyone explain why the browser converts this back to the unescaped string, and suggest workarounds?
FWIW I'm using Backbone, Jquery, JST & EJS
Thanks in advance
Aucun commentaire:
Enregistrer un commentaire