xss-shield - Google Code

License:	MIT License
Labels:	rails, web, security, xss, ruby

Join project

Project owners:
	Tomasz.Wegrzanowski

XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().

Instead of:

  <h3><%= h(item.name) %></h3>
  <p><%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %></p>

You will be able to write:

  <h3><%= item.name %></h3>
  <p><%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %></p>

and all your views will be automatically protected. Protection works by tagging strings you trust - which are only those escaped by h(), generated by trusted helpers (like link_to, text_area, will_paginate etc.), or explicitly marked as trusted by you. If untrusted string is to be displayed in a template it is h-escaped first.

XSS Shield supports RHTML and HAML.

To install the plugin run:

  ./script/plugin install -x http://xss-shield.googlecode.com/svn/trunk/xss-shield/