This gem is a work in progress (in fact right now barely started). In time, this gem will provide simple, automatic validation of all string fields in your models to protect them from XSS attacks.
In the short term, the functionality provided is extremely limited:
class MyModel < ActiveRecord::Base
xss_defense # Enables XSS defense on this model.
endThis will automatically validate all string attributes in the model to ensure they only contain safe characters. The list of allowed characters is described in the XssValidator class.
The gem has currently not been formally released, and needs to be installed via git:
Your Gemfile:
gem 'xss_defense', :git => 'git://github.com/pauljamesrussell/xss_defense.git'This gem was initially created to support a 'pet project'. Contributions are absolutely welcome. Standard rules apply: Please fork, write tests,
implement them, commit your changes and then submit a pull request. RSpec is enabled on the project, as is guard. Run rake spec to execute your tests.
xss_defense is offered as-is and with no warranties of any kind, express, implied, statutory or otherwise, including, without limitation, warranties of title, merchantibility, fitness for a particular purpose, or noninfringement.
The authors do not warrant that xss_defense will provide protection from cross-site scripting attacks.
xss_defense is not a substitute for carrying out a full and professionally conducted risk assessment of your application, and xss_defense alone is not sufficient protection from cross site scripting attacks.