You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
At the moment we have basic native validation. Are there any relevant restrictions we can add?
Input sanitization:
Some kind of tags stripping.
Output Escaping
We could use the ERB::Util method html_escape (aliased as the shorter h) on the params received from the form before sending them to Stripe/Salesforce/etc.. See: http://ruby-doc.org/stdlib-1.9.3/libdoc/erb/rdoc/ERB/Util.html#method-c-h. Not too sure about this though, it's meant to be used more when spitting data to a view.
Setting up CSP:
Either setting the HTTP headers in Sinatra or adding a meta tag:
See our contributing guides.
Sinatra comes with some protection out of the box, but still there are some extra things we can do:
Input validation:
Input sanitization:
Output Escaping
ERB::Util
methodhtml_escape
(aliased as the shorterh
) on the params received from the form before sending them to Stripe/Salesforce/etc.. See: http://ruby-doc.org/stdlib-1.9.3/libdoc/erb/rdoc/ERB/Util.html#method-c-h. Not too sure about this though, it's meant to be used more when spitting data to a view.Setting up CSP:
Using HttpOnly cookies:
Some useful guides:
The text was updated successfully, but these errors were encountered: