Add 'Cross-Site Scripting' items to the section 'Output Escaping & Sanitization'

brunofacca / zen-rails-security-checklist

Checklist of security precautions for Ruby on Rails applications.

MIT License

1.81k stars 150 forks source link

Closed ydakuka closed 6 years ago

brunofacca commented 6 years ago

Great contribution, thanks :)

A couple of notes:

The item about URL validation overlaps a bit with the 3rd item in the Handling user input section. I suggest you combine your item about URL validation with that existing item.
In the item about render inline, are you sure <%= rm -rf / %> is possible? I'm not aware that the ERB interpreter can run shell commands like that without calling system, syscall, exec or something like that.

ydakuka commented 6 years ago

[x] ok
[x] I only copied-pasted the text from the article, a link to which is also in pr. I'm not sure, did not check. But the source inspires confidence.

[update pr]

brunofacca commented 6 years ago

Thanks for your contribution.