Ruby 关于有空格的文字列的 XSS 对策案

wangp070533 · December 05, 2018 · 915 hits
<%= select_tag "select_name", options_for_select(@name_select_list.collect{|p| [p["name"], p["id"]]}), :style => "width:200px", :prompt => I18n.t('labels.items.all') %>

p["name"] = "   alert(9999)"

期待値:下拉菜单里显示

<script>alert(9999)</script>

対策案:

<%= select_tag "select_name", options_for_select(@name_select_list.collect{|p| [(sanitize p["name"]), p["id"]]}), :style => "width:200px", :prompt => I18n.t('labels.items.all') %>

結果:下拉菜单里显示

”   alert(9999)”
<%= select_tag "select_name", options_for_select(@name_select_list.collect{|p| [p["name"], p["id"]]}), :style => "width:200px", :prompt => I18n.t('labels.items.all') %>

結果:下拉菜单里显示

&nbsp;&nbsp;&nbsp;<script>alert(9999)</script>

有能完美解决的方案吗?

No Reply at the moment.
You need to Sign in before reply, if you don't have an account, please Sign up first.