Skip to content

Commit

Permalink
Update docs/app-rails/application-security.md
Browse files Browse the repository at this point in the history 
Co-authored-by: Rocket <[email protected]>
  • Loading branch information
@SammySteiner @rocketnova
SammySteiner and rocketnova authored Jun 18, 2024
1 parent bcf2472 commit 44fb76b
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion docs/app-rails/application-security.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ There is currently no file upload or download functionality at this time, so ple
tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
s = sanitize(user_input, tags: tags, attributes: %w(href title))
```
- [x] Rails sanitize() method is used on inputs that will be presented to the UI, including the Admin UI if there is one.
- [x] Rails `sanitize()` method is used on inputs that will be presented to the UI, including the Admin UI if there is one.
- Note: While consensus seems mixed about the necessity to sanitize Rails input fields for defacement, sanitizing inputs is very useful to protect against encoding injection.
- [ ] Inputs for custom colors or CSS filters are sanitized with Rail's `sanitize()` method, and the application builds the CSS in the web application first and ensures it is valid CSS before sanitizing.
- Note: This application currently doesn't have that functionality, but this is a common attack vector in application that do have this functionality.
Expand Down

0 comments on commit 44fb76b

Please sign in to comment.