Skip to content
This repository

Warning

When you use infowindows or lists etc...

When you do these kind of things:

def gmaps4rails_infowindow
  "<h1>It's user's summary: #{summary}</h1>"
end

Be aware that because infowindow contains html, I use raw to render it properly behind the scene.

So, if ever you have this in database:

  summary = <script type='text/javascript' charset='utf-8'> alert('XSS!!!!');</script>

The script wil be executed on your page.

As usual, beware when you trust the user...

Ok... but what can I do?

You can filter the variables as you like, that's really your choice.

The quickest way to get rid of this problem is the following:

 def gmaps4rails_infowindow
    "<h1>It's user's summary: #{ERB::Util.html_escape summary}</h1>"
 end

Or:

 def gmaps4rails_infowindow
    "<h1>It's user's summary: #{ERB::Util.json_escape summary}</h1>"
 end
Something went wrong with that request. Please try again.