This post outlines three common web security vulnerabilities with specific examples in Rails. For a more complete list, I highly recommend the OWASP Rails security cheatsheet.
A cross-site scripting attack is when malicious scripts are injected into a web site in order to compromise it.
For example, let's say we want to allow html tags such as <strong> in our blog comments, so we render raw output using the Rails method #html_safe:
| //------------------------------------------------------------------------------------------------------------------ | |
| // YOUR CODE: Create your Zoo "object literal" and Animal "constructor" and "prototypes" here. | |
| //------------------------------------------------------------------------------------------------------------------ | |
| //------------------------------------------------------------------------------------------------------------------ | |
| // DRIVER CODE: Do **NOT** change anything below this point. Your task is to implement code above to make this work. | |
| //------------------------------------------------------------------------------------------------------------------ |
| <!doctype html> | |
| <html> | |
| <head> | |
| <link rel="stylesheet" href="http://cdn.jsdelivr.net/normalize/2.1.0/normalize.css"> | |
| <link rel="stylesheet" href="main.css"> | |
| <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700,800"> | |
| <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Lato:100,900"> | |
| <link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/font-awesome/3.0.2/css/font-awesome.min.css"> | |
| </head> |
| /*1. Use basic selectors (id, class, element) to choose an element on the page. | |
| Use the .css() method to alter at least two CSS properties of this element. */ | |
| $('a').css('font-size', '30px') | |
| $('div').css({'background-color' : 'skyblue'}); | |
| $('.dropdown-menu').css({'color' : 'skyblue', 'background-color' : 'yellow'}); | |
| /*2. Use basic selectors and the find() method to select an image on the page | |
| and change it with another image of your choice. */ |
| // Get the element, add a click listener... | |
| document.getElementById("parent-list").addEventListener("click",function(e) { | |
| // e.target is the clicked element! | |
| // If it was a list item | |
| if(e.target && e.target.nodeName == "LI") { | |
| // List item found! Output the ID! | |
| alert("List item " + e.target.id.replace("post-", "") + " was clicked!"); | |
| } | |
| }); |
| <!doctype html> | |
| <html> | |
| <head> | |
| <link rel="stylesheet" href="http://cdn.jsdelivr.net/normalize/2.1.0/normalize.css"> | |
| <link rel="stylesheet" href="main.css"> | |
| <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Open+Sans:300,400,600,700,800"> | |
| <link rel="stylesheet" href="http://fonts.googleapis.com/css?family=Lato:100,900"> | |
| <link rel="stylesheet" href="http://cdnjs.cloudflare.com/ajax/libs/font-awesome/3.0.2/css/font-awesome.min.css"> | |
| </head> |
| //------------------------------------------------------------------------------------------------------------------ | |
| // YOUR CODE: Create your Zoo "object literal" and Animal "constructor" and "prototypes" here. | |
| //------------------------------------------------------------------------------------------------------------------ | |
| function Animal(name, legs) | |
| { | |
| this.name = name; | |
| this.legs = legs; | |
| // this is a method that gets created every time a new Animal is created | |
| // this.bar = function() { |
| $(document).ready(function () { | |
| $('form').submit('click', function(event){ | |
| event.preventDefault(); | |
| var number = 1 + Math.floor(Math.random() * 6); | |
| var num = {"value" : number}; | |
| var action = $(this).attr('action'); | |
| class RPNCalculator | |
| def evaluate(input) | |
| array = input.split | |
| array.each do |x| | |
| case | |
| when x == "+" | |
| op_index = array.index(x) |