How to Prevent Cross-Site SSS Scripting Attack When Using jQueryUI Autocomplete

Question

How to Prevent Cross-Site SSS Scripting Attack When Using jQueryUI Autocomplete

I am testing for XSS vulnerabilities in a web application under development. This Rails application uses the h method to sanitize the HTML it generates.

However, it uses the jQueryUI autocomplete widget (new in latest release) where I have no control over the generated HTML and I can see that the tags are not escaping them. The data loaded into autocomplete is retrieved via a JSON request just before being rendered. I

Capabilities:

1) Autocomplete has the ability to sanitize, I don't know about

2) There is an easy way to do it in jQuery that I am not aware of

3) There is an easy way to do this in a Rails controller that I am not aware of (where I cannot use the h method)

4) Deny <character in model

Sugestions?

+2

jquery jquery-ui ruby-on-rails xss

theschmitzer May 19 '10 at 11:20

a source to share

1 answer

Andrew moore · Accepted Answer · 2010-05-19T11:47:06+0000

Are you in control of what JSON is loaded into the plugin? If so, the best option would be to output the data correctly before encoding it to JSON using CGI::escapeHTML

.

This way your data will be sanitized and you don't have to worry about XSS.

How to Prevent Cross-Site SSS Scripting Attack When Using jQueryUI Autocomplete

More articles: