Protect your Rails app from malicious XSS attacks

I noticed a post on RubyInside about two new libraries to clean up user submitted form data. Any time someone submits a string which is then displayed in the browser as rendered html, there exists the opportunity for a malicious hacker to insert bad things into your browser. I'm talking about this kind of nonsense:

';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

or this:

'';!--"<XSS>=&{()}<br /><br /> You can see more examples of bad on the Cross Site Scripting Vectors Page: <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a> Anyhow, I have a different approach to sanitizing input: run it through the html5 gem, which outputs clean, valid html5. What a notion! I like this because you can control what strings are processed, when. No heavy-handed ActiveRecord monkey patching required. I've added String.sanitize and String.sanitize! to the sanitize.rb library, originally by Jacques Distler: <a href="http://pastie.org/351431">http://pastie.org/351431</a> Hopefully you'll find it useful, too. </XSS>