Use Rails’ APIs to Generate Markup

Explore how to safely generate HTML markup in Rails views using built-in helper methods such as content_tag. Understand the risks of manual string interpolation and the importance of escaping untrusted content to protect against injection attacks and security vulnerabilities in web applications.

We'll cover the following...

Issues with the current view
Generating markups

Issues with the current view

The view is a magnet for security issues because it’s code that gets executed in the user’s browser and not on our servers. The OWASP Top Ten is a list of the ten most problematic security risks for a web application. Several of these vulnerabilities can be exploited by allowing unsafe content to be sent to a user’s browser in HTML, CSS, or JavaScript.

When we just use HTML templates, Rails does a great job of preventing these problems. If a user creates a Widget named <strong>HACKED</strong> Stembolts, Rails would escape those <strong> tags so the browser doesn’t render them.

Generating markups

...

1.Prologue

2.Getting Started

3.The Rails Application Architecture

4.Start Our App Off Right

5.Business Logic

6.Routes and URLs

7.HTML Templates

8.Helpers

9.CSS

10.Minimize JavaScript

11.Carefully Manage the JavaScript We Need

12.Testing the View

13.Models I

14.The Database

Project

15.Business Logic Code is a Seam

16.Models II

17.End-to-End Testing

18.Controllers

19.Jobs

20.Other Boundary Classes

21.Authentication and Authorization beyond Rails

Project

22.API Endpoints

23.Sustainable Process and Workflows

24.Operations

25.Conclusion

26.Appendices

Use Rails’ APIs to Generate Markup

Issues with the current view

Generating markups