0%
Reading Settings
Font Size
18px
Line Height
1.5
Letter Spacing
0.01em
Font Family
Table of contents
Beware of html_safe in Rails !!!
Software Engineer
Software Engineer
Ruby on Rails
Ruby on Rails
2024-08-26 19:27:07 +0700
· 2 mins read
Modern web frameworks provide a secure way to develop new applications. However, if we do not understand it well, it still leads to security issues.
html_safe in Rails is an example. It seems "safe", but is it safe?
html_safe in Rails is an example. It seems "safe", but is it safe?
Understanding html_safe
Ref: https://api.rubyonrails.org/classes/String.html#method-i-html_safe
In Rails, thehtml_safe method is used to mark a string as safe for HTML output. By default, Rails escapes HTML to prevent injection attacks. When you use html_safe on a string, you are telling Rails that the string is safe to insert into HTML without escaping.
That DOESN'T meanhtml_safe will make the parsed HTML safe for Cross-Site Scripting (XSS). It's equivalent to a raw helper in the view
For example:
In Rails, the
That DOESN'T mean
For example:
// language: ruby <%= "<h1>Hello, World!</h1>".html_safe %>
This will render as:
// language: markup <h1>Hello, World!</h1>
Without `html_safe`, the output would be escaped:
// language: markup <h1>Hello, World!</h1>
The Danger of html_safe
The primary risk of using html_safe is that it can inadvertently introduce XSS vulnerabilities. XSS occurs when an attacker can inject malicious scripts into a web page, potentially leading to data theft, session hijacking, or other malicious activities.
Consider the following scenario: you receive user input and mark it ashtml_safe :
Consider the following scenario: you receive user input and mark it as
// language: ruby <%= params[:user_input].html_safe %>
If an attacker submits the following input:
// language: markup
<script>alert('Hacked!');</script>The output will be:
// language: markup
<script>alert('Hacked!');</script>This script will execute in the user's browser, leading to an XSS attack.
Best Practices and Safer Alternatives
To avoid the pitfalls of html_safe, consider the following best practices:
- Avoid Using
html_safe on user input: Never mark user-generated content ashtml_safe . Always assume that user input could be malicious and must be sanitized. - Sanitize User Input: If you must allow some HTML content from user input, use the
sanitize helper to remove potentially dangerous tags and attributes:
// language: ruby <%= sanitize(params[:user_input]) %>
Rails' sanitizing method allows a whitelist of safe tags and attributes, reducing the risk of XSS attacks. Ref: https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
- Use Rubocop to follow Rails best practices and Brakeman to find security vulnerabilities. No one can know everything, let these tools help you.
Happy coding!
Related blogs
Speed Up Independent Queries Using Rails load_async
When you're building a dashboard, it's common to fetch multiple, independent datasets. The page loading might be slow because it has to fetch all data to render a page. A common solution is using AJAX to load pieces of the dashboard, which is great, ...
Software Engineer
Software Engineer
Ruby on Rails
Ruby on Rails
2025-10-16 23:07:15 +0700
· 7 mins read
Hello Golang: My First Steps to the Language
I’ve worked with Ruby in several projects, which is defined as "a programmer’s best friend" for its clean and English-like syntax. While my back-end experience is rooted in the Ruby on Rails framework, I prefer TypeScript for building CLI tools and s...
Software Engineer
Software Engineer
2025-10-18 19:05:21 +0700
· 6 mins read