The rules of the OWASP Cross Site Scripting (XSS) Prevention Cheat Sheet
- Deny all untrusted data and don’t put it directly into the HTML or into any other context (like JavaScript, CSS, attribute contexts)
- HTML escape untrusted content from the user
Attribute escape untrusted data before putting it into HTML tag attributes (escape quotes) - Escape JavaScript before putting untrusted data into a JavaScript context, see also the escape_javascript Rails method
- Escape HTML entities in JSON strings, see the json_escape Rails method
- Escape untrusted data in a CSS context and validate it, see also the sanitize_css() method in Rails
- URL encode untrusted data in URLs
- HTML sanitize untrusted input, see the sanitize() Rails method in the latest version (but watch out in earlier version of Rails)