Skip to content

A5 Security Misconfig JSON Escaping

Jump to bottom
cktricky edited this page Jul 10, 2015 · 1 revision

Description

Another one of the Rails security configurations relates to escaping HTML entities in JSON.

Bug

When the following setting is set to false, HTML entities in JSON response will not be encoded.

ActiveSupport::escape_html_entities_in_json = false

Solution

Edit the html_entities file at config/initializers/html_entities.rb and set the following to true.

ActiveSupport::escape_html_entities_in_json = true

Once the initializer is edited and the application is restarted, any HTML entities in JSON responses will be encoded.

Hint

Think HTML entities, escaping and initializers.

© The Open Web Application Security Project - OWASP, 2015

Sections are divided by their OWASP Top Ten label (A1-A10) and marked as R4 and R5 for Rails 4 and 5.

Clone this wiki locally