[LRUG] [Help request] Programmatically inserting user data into js chart
Tom Stuart
tom at codon.com
Fri Jun 10 02:05:32 PDT 2016
On 10 Jun 2016, at 02:38, Mark Burns <markthedeveloper at gmail.com> wrote:
> Note that using raw potentially opens you up to XSS attacks.
Yes, you should use json_escape (http://api.rubyonrails.org/classes/ERB/Util.html#method-c-json_escape) to make sure that the output can’t contain something naughty like "</script>":
<%= raw json_escape(JSON.pretty_generate(@jsonish)) %>
Cheers,
-Tom
More information about the Chat
mailing list