This post explains how to check your Rails application source code for cross site scripting (XSS) attack.
Cross site scripting means that your application accepts html code as user input. Biggest issue is
<img> tag that can also be used for code execution.
Rails by default escapes all input, which means that html code will be transformed, so browser will not interpret it as html:
<script>alert("Session based test management");</script>` => `<script>alert("Session based test management");</script>
But some applications, such as github, allow users to have text formatting options.
Dirty way is to allow html input (github is using markdown language), and Rails have api methods for that:
This is ok as long there is not direct user input as parameter of that method (for your editor implementation, you also want to use markdown). Never trust your users!
Use this for code check:
grep -H -r 'html_safe' * | less grep -H -r 'raw' * | less
Use this for source code check:
grep -H -r 'target="_blank"' * | less
and make sure that link tag also has this option: