Comments (3)
balexand
commented on September 13, 2024
1
The accepted way to prevent XSS attacks in Rails is to properly escape user inputted data when you are outputting them in your templates rather than validating the data when it is being input. Even with very strict email validation you will still be vulnerable to XSS attacks if you don't properly escape user inputted email addresses. Conversely, if you properly escape email addresses then you will be safe from XSS even if you perform no input validation at all.
You can learn more on the Rails Guides: https://guides.rubyonrails.org/security.html#cross-site-scripting-xss. Also, checkout out the mail_to helper if you are looking for an easy and secure way to generate mailto links.
from email_validator.
AGarrow
commented on September 13, 2024
from the document:
7.3.2.3 Countermeasures
It is very important to filter malicious input, but it is also important to escape the output of the web application.Especially for XSS, it is important to do whitelist input filtering instead of blacklist. Whitelist filtering states the values allowed as opposed to the values not allowed. Blacklists are never complete.
...
All I'm saying is you should give people a heads up that their only protection is escaping the output.
from email_validator.
AGarrow
commented on September 13, 2024
I just think it might not occur to some that this validation philosophy gives them less protection than they might expect.
from email_validator.
Related Issues (20)
- Is there any way to validate custom domain email? HOT 3
- Alternative gem: email_address HOT 1
- Validation not catching jdoe@example-com HOT 3
- Semicolon and emails with not tld in email addresses in version 2.0.1 HOT 2
- Rails 6 support HOT 5
- Error when putting code in model HOT 1
- Alternative gem: email_verifier
- It is allowing invalid emails HOT 13
- Badge points to other repo HOT 2
- 2020.example.com is a valid fqdn HOT 8
- Valid numeric domains are considered invalid in strict mode HOT 2
- TravisCI Builds are failing for ppc64le+ruby 2.4 HOT 3
- Add rspec matcher
- Alternative gem: validates_email_format_of
- More disposable domains
- ACE representation of email address with IDN considered invalid HOT 6
- [CodeClimate] Class EmailValidator has 25 methods (exceeds 20 allowed)
- [CodeClimate] Method valid? has a Cognitive Complexity of 6 (exceeds 5 allowed).
- .tech domains
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from email_validator.