prevent HTML/JS injection attacks

hone · hone · commit ed4b973744f1 · 2013-10-08T02:33:44.000-04:00
diff --git a/middlewares/chat_backend.rb b/middlewares/chat_backend.rb
@@ -1,6 +1,8 @@
 require 'faye/websocket'
 require 'thread'
 require 'redis'
+require 'json'
+require 'erb'
 
 module ChatDemo
   class ChatBackend
@@ -32,7 +34,7 @@ def call(env)
 
         ws.on :message do |event|
           p [:message, event.data]
-          @redis.publish(CHANNEL, event.data)
+          @redis.publish(CHANNEL, sanitize(event.data))
         end
 
         ws.on :close do |event|
@@ -48,5 +50,12 @@ def call(env)
         @app.call(env)
       end
     end
+
+    private
+    def sanitize(message)
+      json = JSON.parse(message)
+      json.each {|key, value| json[key] = ERB::Util.html_escape(value) }
+      JSON.generate(json)
+    end
   end
 end
