Clean up trailing and leading whitespace

app/views/layouts/tutorial/xss/_dom_xss.html.erb

@@ -17,7 +17,7 @@
           <div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
             <div class="accordion-inner">
              <p>
-             DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.	
+             DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner. That is, the page itself (the HTTP response that is) does not change, but the client side code contained in the page executes differently due to the malicious modifications that have occurred in the DOM environment.
              </p>
             </div>
           </div>
@@ -36,8 +36,8 @@
 			    The following code was taken from app/views/sessions/new.html.erb:
 			  </p>
 			  <pre class="javascript">
-				 <%= 
-				%{ 
+				 <%=
+				%{
 	 <script>
 	 	//document.write("<select style=\"width: 100px;\">");
 	 	//document.write("<OPTION value=1>English</OPTION>");
@@ -50,13 +50,13 @@
 	  \} catch(err) \{
 	  \}
 	  //document.write("</select>");
-     </script> 
-				} 
+     </script>
+				}
 				%>
 			  </pre>
 			  <p class="desc">
 				The code (above) takes user input (params), and renders it back on the page without any output encoding or escaping.
-			  </p>	
+			  </p>
             </div>
           </div>
         </div>
@@ -71,14 +71,14 @@
           <div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
             <div class="accordion-inner">
              <p><b> Stored Cross-Site Scripting ATTACK:</b></p>
-			 <p class="desc"> 
+			 <p class="desc">
 				Ensure you are signed out of the application first. Make sure you are using something like Firefox as Safari/Chrome won't work for this exercise. Then, use the following link (substitute hostname for your actual hostname) to execute an alert box:
 			 </p>
 			 <pre>
 				<%= %{http://127.0.0.1:3000/#test=<script>alert(1)</script>} %>
-			 </pre>	
+			 </pre>
 			 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
-			 <p> 
+			 <p>
 			   Leverage the Hogan function for escaping (found in the application.js file) to escape user input:
 			 </p>
 			 <pre class="javascript">
@@ -97,10 +97,10 @@
 	  \}
 	   //document.write("</select>");
 	 </script>
-				}	
-				
+				}
+
 				%>
-			 </pre>	
+			 </pre>
             </div>
           </div>
         </div>

app/views/layouts/tutorial/xss/_xss_first.html.erb

@@ -31,23 +31,23 @@
           <div class="accordion-body collapse" id="collapseTwo" style="height: 0px;">
             <div class="accordion-inner">
               <p><b>Stored Cross-Site Scripting - The following code was taken from app/views/layouts/shared/_header.html.erb</b></p>
-			 
+
 				 <p>
   					<pre class="ruby">
 					  <%= @code %>
 	 				</pre>
                   </p>
  				  <p class="desc">
-					Coincidentally, HTML safe is not safe from HTML Injection or "XSS" attacks. The name is deceiving. Some folks believe the raw() helper to be different than the html_safe String method. raw() is actually a wrapper for html_safe and essentially ensures exceptions are handled when the expected value is nil. 
+					Coincidentally, HTML safe is not safe from HTML Injection or "XSS" attacks. The name is deceiving. Some folks believe the raw() helper to be different than the html_safe String method. raw() is actually a wrapper for html_safe and essentially ensures exceptions are handled when the expected value is nil.
 					<pre class="ruby">
 						# Psuedo-code to help conceptualize
 						def raw(dirty_string)
 						  dirty_string.to_s.html_safe
 						end
 					</pre>
-					
+
 				  </p>
-		    
+
             </div>
           </div>
         </div>
@@ -66,7 +66,7 @@
 			 <p> When registering, enter your JavaScript tag such as <%= %{<script>alert("ohai")</script>} %> in the First Name field. Upon login the header navigation bar will echo "Welcome" + your JS code. You can have your XSS code point the victim to a <b><%= link_to "BeEF server", "http://beefproject.com", {:style => "color: rgb(69, 126, 136)" } %></b> and have some fun as well.
 			 </p>
 			 <p><b> Stored Cross-Site Scripting SOLUTION:</b></p>
-			 <p> 
+			 <p>
 				Often developers error on the side of using "html_safe" versus "raw" with the idea being one is safer than the other. In this example, simply removing the .html_safe call would both eliminate the attack (by default, Rails 3.x html encodes these dangerous chars). Rails 2.x would require that any potentially malicious content is wrapped within an h() tag. Potentially malicious content should be thought of anything that is dynamically generated. Also, it is important to note that if for some reason you wanted to render HTML code in literal form, you can use things like sanitize() or strip_tags().
 			 </p>
             </div>