How Do I Prevent a XSS Cross-Site Scripting Attack When Using jQueryUI Autocomplete

Posted by theschmitzer on Stack Overflow See other posts from Stack Overflow or by theschmitzer
Published on 2010-05-19T11:20:48Z Indexed on 2010/05/19 11:50 UTC
Read the original article Hit count: 427

Filed under:

jQuery

|

jquery-ui

|

rails

|

xss

I am checking for XSS vulnerabilities in a web application I am developing. This Rails app uses the h method to sanitize HTML it generates.

It does, however, make use of the jQueryUI autocomplete widget (new in latest release), where I don't have control over the generated HTML, and I see tags are not getting escaped there. The data fed to autocomplete is retrieved through a JSON request immediately before display. I

Possibilities:

1) Autocomplete has an option to sanitize I don't know about

2) There is an easy way to do this in jQuery I don't know about

3) There is an easy way to do this in a Rails controller I don't know about (where I can't use the h method)

4) Disallow < symbol in the model

Sugestions?

© Stack Overflow or respective owner

Related posts about jQuery

Microsoft and jQuery

as seen on West-Wind - Search for 'West-Wind'
The jQuery JavaScript library has been steadily getting more popular and with recent developments from Microsoft, jQuery is also getting ever more exposure on the ASP.NET platform including now directly from Microsoft. jQuery is a light weight, open source DOM manipulation library for JavaScript that… >>> More
An Introduction to jQuery Templates

as seen on Stephen Walter - Search for 'Stephen Walter'
The goal of this blog entry is to provide you with enough information to start working with jQuery Templates. jQuery Templates enable you to display and manipulate data in the browser. For example, you can use jQuery Templates to format and display a set of database records that you have retrieved… >>> More
Ajax Control Toolkit December 2013 Release

as seen on Stephen Walter - Search for 'Stephen Walter'
Today, we released a new version of the Ajax Control Toolkit that contains several important bug fixes and new features. The new release contains a new Tabs control that has been entirely rewritten in jQuery. You can download the December 2013 release of the Ajax Control Toolkit at http://Ajax.CodePlex… >>> More
jQuery show "loading" during slow operation

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm trying to show a small loading image during a slow operation with jQuery and can't get it right. It's a BIG table with thousands of rows. When I check the "mostrarArticulosDeReferencia" checkbox it removes the "hidden" class from these rows. This operation takes a couple of seconds and I want… >>> More
Tracking download of non-html (like pdf) downloads with jQuery and Google Analytics

as seen on Developer IT - Search for 'Developer IT'
Hi folks, it’s been quite calm at Developer IT’s this summer since we were all involved in other projects, but we are slowly comming back. In this post, we will present a simple way of tracking files download with Google Analytics with the help of jQuery. We work for a client that offers… >>> More

Related posts about jquery-ui

jquery.ui.draggable.js and jquery.ui.widget.js conflict

as seen on Stack Overflow - Search for 'Stack Overflow'
hello I had a working application, which uses a jquery ui dialog. I wanted to make the dialog draggable. As far as I know the only thing needed is the jquery.ui.draggable.js script. So I added it to the scripts I am using, but know I get the following error (as shown in the firebug console): base… >>> More
Use JQuery UI Datepicker with Icons from Jquery UI Theme

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a datepicker control setup using the JQuery UI, I am also using the JQuery UI themes which provide a bunch of default icons that I want to use. The DatePicker allows for specifying a specific image, i.e.: <script type="text/javascript"> $(document).ready(function() { $("#DateFrom")… >>> More
JQuery UI function errors out: Object is not a property or method

as seen on Stack Overflow - Search for 'Stack Overflow'
In the following code I get an error that says autocomplete function Object is not a property or method Here is the code: <title><%= ViewData["pagetitle"] + " | " + config.Sitename.ToString() %></title> <script src="../../Scripts/jqueryui/jquery-ui-1.8.1.custom/development-bundle/ui/minified/jquery… >>> More
Strange jQueryUI dialog error

as seen on Stack Overflow - Search for 'Stack Overflow'
I have dialog created like this $('#add_error').click(function(e) { $('<div>') .load('/someaction/format/html/') .dialog({ title: 'Some title', modal: true, width: 385, close: function() { … >>> More
JavaScript : jQuery UI 1.8 est disponible avec 5 nouveaux plug-ins, 1 nouvel effet et des centaines

as seen on Developper.com - Search for 'Developper.com'
jQuery UI 1.8 est disponible L'équipe de jQuery UI annonce la sortie de jQuery UI 1.8, cette version apporte 5 nouveaux plug-ins, 1 nouvel effet, et des centaines de corrections de bogues et d'améliorations. Pour une liste complète de tous les changements entre jQuery UI 1.7.2 et jQuery UI 1… >>> More