Permalink
Browse files

prevent HTML/JS injection attacks

1 parent 9b4d0b6 commit ed4b973744f1b277765d36e2c95a709e116f3d03 @hone hone committed Oct 8, 2013
Showing with 10 additions and 1 deletion.
  1. +10 −1 middlewares/chat_backend.rb
@@ -1,6 +1,8 @@
require 'faye/websocket'
require 'thread'
require 'redis'
+require 'json'
+require 'erb'
module ChatDemo
class ChatBackend
@@ -32,7 +34,7 @@ def call(env)
ws.on :message do |event|
p [:message, event.data]
- @redis.publish(CHANNEL, event.data)
+ @redis.publish(CHANNEL, sanitize(event.data))
end
ws.on :close do |event|
@@ -48,5 +50,12 @@ def call(env)
@app.call(env)
end
end
+
+ private
+ def sanitize(message)
+ json = JSON.parse(message)
+ json.each {|key, value| json[key] = ERB::Util.html_escape(value) }
+ JSON.generate(json)
+ end
end
end

0 comments on commit ed4b973

Please sign in to comment.