Sanitize output from malicious user input

Clean the output from the server, if there has been malicious user input.

One problem found:

Adding <script type="text/javascript">alert("hello!");</script> into input boxes, breaks the site.

List of things to sanitize:

Team name
Project name
User name + email
Notes on testing

In tests with

within_fieldset("Team name") do
  fill_in 'team_name', :with => "Ha! <script type='text/javascript'>alert('hello!');</script>"
  click_button 'update'
end

<%= @team.name %> returns "Ha! alert('hello!');" <%= h @team.name %> returns "Ha! <script type='text/javascript'>alert('hello!');</script>"

In the latter, if you open it in the debugger, and print out page.body, you get Ha! <script type='text/javascript'>alert('hello!');</script>

Hence I test with

within("#team-name h2") do
  page.should have_content("Ha! <script type='text/javascript'>alert('hello!');</script>")
end

Resources

Mongomapper sanitization (to_json)
Backbone model escaping

pebblecode / vistazo

Sanitize output from malicious user input #215

Notes on testing

Resources