Friday, February 22, 2019

Breakman Rails: How to avoid XSS cross site Warning

on   in   with No comments
I will share some trick to avoid XSS cross site warning in Breakman Rails.

  • Example Case: URL 
          Problem :
            <%= raw generated_link_to("View Barcode","schedule/show_barcode?id="+data[0].to_s+"&schedule_id="+@schedule[:id].to_s","edit_schedule",{:class => 'btn btn-mini btn-info',:remote=>"true"}) %>
          Solved :
            <%= raw generated_link_to("View Barcode", schedule_show_barcode_path({:id=>data[0].to_s, :schedule_id=>@schedule[:id].to_s})"edit_schedule",{:class => 'btn btn-mini btn-info',:remote=>"true"}) %>
           *) schedule_show_barcode_path = route alias in config/routes
          
  • Example Case: Javascript or CSS
          Problem :
         <%= raw generated_link_to('<i class="icon-trash"</i>'.html_safe,"#delete_progress","add_schedule",{:class => 'removedbuttonsetting', :onclick => (params[:row_index],params[:form_type])})%>

<script type="text/javascript">
  function delete_row_form_extrarow(index,form_type){
    $("#tr_body_"+form_type+"_"+index).remove();
  }
</script>

          Solved :
            <%= raw generated_link_to('<i class="icon-trash"></i>'.html_safe,"#delete_progress","add_schedule",{:class => 'removedbuttonsetting', :indexattr => params[:row_index].to_json,:typeattr => params[:form_type].to_json})%>

<script type="text/javascript">
  $(function(){
    $(".removedbuttonsetting").click(function(){
        var index = $(this).attr('indexattr');
        var form_type = $(this).attr('typeattr');
        delete_row_form_extrarow(index,form_type);
    })
  });

  function delete_row_form_extrarow(index,form_type){
    var index1 = JSON.parse(index);
    var form_type1 = JSON.parse(form_type);
    $("#tr_body_"+form_type1+"_"+index1).remove();
  }
</script>


Share:

0 comments:

Post a Comment