ruby on rails - Is data.to_json.html_safe susceptible to XSS attack? -
i'm trying figure out if code safe. @ possible attack code?
<script> data = <%= data.to_json.html_safe %>; </script>
in other words, value of data
result in successful attack?
any string in data has "</script>" in can used implement xss in example. along lines of
data = { b: "</script><script>alert('hi')</script>" }
would work
Comments
Post a Comment