Ruby Snippet #03

This challenge covers the review of a snippet of code written in Ruby

< 1 Hr.


In this Code Review Snippet challenge, you are provided with a Ruby on Rails application containing a potential security vulnerability. The challenge begins by examining the `users_controller.rb` file, where a user is fetched based on an `id` parameter. This parameter is converted to an integer to prevent SQL injection, making this part of the code secure.

However, the vulnerability lies in the `show.html.erb` view file. Here, the user's website URL is directly used in a link without proper validation or sanitization. This oversight allows users to inject JavaScript code through their website URL, leading to a cross-site scripting (XSS) vulnerability. The challenge emphasizes the importance of securing user-provided data, especially when it is used to generate HTML content.

Want to learn more? Get started with PentesterLab Pro! GO PRO