You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, when creating a Filterrific object using initialize_filterrific, it will automatically sanitize the params from the session, query, etc.
The problem with sanitization is that it will break the params send to actual filters inside the model. If your search includes <, & characters, those will be escaped by the sanitization process. This sanitization will change the actual SQL queries and will often return wrong results.
According to the comment in code, it should protect against XSS, if the user injects HTML tags in the Filterrific params.
In my application, I completely emptied the logic of the method sanitize_filterrific_param and I was unable to reproduce any XSS injection issues. My tests show that Rails automatic sanitization of strings will correctly escape Filterrific params if displayed in the view using <%= @filterrific.name_of_filter %>.
The text was updated successfully, but these errors were encountered:
Currently, when creating a Filterrific object using
initialize_filterrific, it will automatically sanitize the params from the session, query, etc.The problem with sanitization is that it will break the params send to actual filters inside the model. If your search includes
<,&characters, those will be escaped by the sanitization process. This sanitization will change the actual SQL queries and will often return wrong results.According to the comment in code, it should protect against XSS, if the user injects HTML tags in the Filterrific params.
filterrific/lib/filterrific/action_controller_extension.rb
Line 84 in f38d7e3
In my application, I completely emptied the logic of the method
sanitize_filterrific_paramand I was unable to reproduce any XSS injection issues. My tests show that Rails automatic sanitization of strings will correctly escape Filterrific params if displayed in the view using<%= @filterrific.name_of_filter %>.The text was updated successfully, but these errors were encountered: