team-alpha/railsgoat
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68e6a01743594baa05139ea9e653eaf6191d7284
railsgoat/app/views/layouts/tutorial/misconfig/_misconfig_second.html.erb
T
James Espinosa 68e6a01743 Clean up trailing and leading whitespace
2014-07-05 19:15:32 -05:00

80 lines
3.1 KiB
Plaintext
Raw Blame History

<div class="widget">
<div class="widget-header">
<div class="title">
<span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A5 - Security Misconfiguration
</div>
</div>
<div class="widget-body">
<div id="accordion1" class="accordion no-margin">
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseFive" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-info icon-white">
</i>
Description
</a>
</div>
<div class="accordion-body in collapse" id="collapseFive" style="height: auto;">
<div class="accordion-inner">
Another one of the Rails security configurations relates to escaping HTML entities in JSON.
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseSix" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-bug icon-white">
</i>
Bug
</a>
</div>
<div class="accordion-body collapse" id="collapseSix" style="height: 0px;">
<div class="accordion-inner">
<p>When the following setting is set to false, HTML entities in JSON response will not be encoded.<p>
<p>
<pre class="ruby">
<%= %q{
ActiveSupport::escape_html_entities_in_json = false
} %>
</pre>
</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a href="#collapseSeven" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-lightning icon-white">
</i>
Solution
</a>
</div>
<div class="accordion-body collapse" id="collapseSeven" style="height: 0px;">
<div class="accordion-inner">
<p>Edit the html_entities file at config/initializers/html_entities.rb and set the following to true.</p>
<p><pre class="ruby">
<%= %q{
ActiveSupport::escape_html_entities_in_json = true
} %>
</pre></p>
<p>Once the initializer is edited and the application is restarted, any HTML entities in JSON responses will be encoded.</p>
</div>
</div>
</div>
<div class="accordion-group">
<div class="accordion-heading">
<a style="background-color: rgb(181, 121, 158)" href="#collapseEight" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
<i class="icon-aid icon-white">
</i>
Hint
</a>
</div>
<div class="accordion-body collapse" id="collapseEight" style="height: 0px;">
<div class="accordion-inner">
Think HTML entities, escaping and initializers.
</div>
</div>
</div>
</div>
</div>
</div>
Reference in New Issue View Git Blame Copy Permalink