In a similar Rails application, I managed to create a recursive hash check function, which then runs the sanitize gem cleanup / fragment method to remove any HTML elements from the hash of the incoming parameters. I used the before filter in the application_controller controller, so everything is cleared in the application (this is a big application).
Backstory: XSS attacks were possible, especially in IE browsers, but in reality we just don't want all this data to be stored in a database. Although the ultimate goal was that the JSON output did not contain it.
I tried to do the same in a Sinatra application (which has ActiveSupport and JRuby ActiveRecord), but the Sanitize stone will not be linked because this particular application works in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter simply won't build JRuby in this environment.
So, I tried to do the filter before in app.rb using Rack :: Util, a built-in html escape method, but that blew up the application.
Are there any alternative ways that I can think of
1) Sanitizing all incoming parameters to the Sinatra application (JRuby)
And if not, then a smaller option:
2) make all parsed JSON sanitize values ββin the specified JSON attribute lists?
PS. Part of the problem here is that the included local gem, which handles a lot of parameters and makes JSON rendering, is impossible to debug. I will include Pry in both the host application and the locally linked pearls, and when I try to execute Pry in the Gem, I cannot view the params hash (it just displays as empty) - it seems to be a sphere problem.
json jruby hash sanitize sinatra
rcd
source share