RailsCasts Pro episodes are now free!

Learn more or hide this

Cross Site Scripting

#27 Cross Site Scripting

May 04, 2007 | 5 minutes | Views, Security
Another common security issue is cross site scripting. In this episode you will see why it is so important to escape any HTML a user may submit.
Click to Play Video ▶
  • Download:
  • mp4Full Size H.264 Video (9.8 MB)
  • m4vSmaller H.264 Video (6.74 MB)
  • webmFull Size VP8 Video (19.3 MB)
  • ogvFull Size Theora Video (14.3 MB)
Avatar
Xilo32 over 17 years ago

Thanks for another great screencast tutorial!

Keep up the great work!

Avatar
InMan over 17 years ago

Thanks. I missed this security hole in many places :).

Avatar
Slaptijack over 17 years ago

Good topic, Ryan. Cross-site scripting is such a common problem and really needs plenty of attention.

Avatar
Ryan Bates over 17 years ago

Please let me know if you are unable to transfer the iPod version to your iPod/Apple TV. I may have got the compression settings incorrect or something.

Avatar
David Parker over 17 years ago

Ryan, I haven't yet tried the download for iPod option, but I was just curious: what's the difference between that version and the regular one? Is it just more compressed?

Avatar
Ryan Bates over 17 years ago

Good question. It's 640x480 instead of 800x600 and the compression doesn't look as nice, so if you don't need to play it back on an iPod/Apple TV it's definitely better to stick with the higher quality version.

Avatar
David Parker over 17 years ago

Thanks Ryan. I'll probably start downloading the iPod versions though... that way I can take the casts with me on trips (Sadly, I don't have a laptop yet). As much as I like the higher quality, I find no reason to download the videos twice (and I might as well save you a little bandwidth). Thanks and keep up the good work!

Avatar
Sergio de la Garza over 17 years ago

Thanks Ryan for these excelent screencasts.

Keep it up

congrats from México.

Avatar
Ryan Bates over 17 years ago

For those interested, the iPod format should be working now. Sorry about the incompatable file format.

Avatar
Terrence over 17 years ago

Hey Ryan,
I was JUST about to whine about the iPod version. :) Thanks for another great tute and for reading my mind!

Avatar
peanut over 17 years ago

Very useful issue!

Avatar
Andrew Parker over 17 years ago

I find the ipod versions hard to read because they're too blurry (the normal versions are fantastic, incredibly clear!).
I suppose that's because the resolution has been reduced, but is it also because of higher compression? h264 should be able to do clear video, is it possible to turn up the bitrate?

Anyway, these railscasts are very useful, keep up the great work!

Avatar
albemuth about 17 years ago

<script>alert('Hi!')</script> :D

Avatar
Snailrails almost 17 years ago

Hey, I wrote a quick informative tutorial about XSS on http://www.snailrails.com/2008/1/cross-site-scripting.

Check it out for some more information.

Avatar
Ryan almost 16 years ago

I know this is an old cast, but I just wanted to point everyone towards a great little plugin I found after watching this.

http://github.com/emk/safe_erb/tree/master

it raises an exception anytime content is displayed to the screen without being escaped with "h". Helped me find a few vulnerabilities in my current project.

Avatar
bparanj over 8 years ago

This episode has been updated for Rails 5 as a blog post. Cross Site Scripting in Rails 5

Avatar
Dave Woodall over 7 years ago

alert('thank you')