Is rails devise's 'alert' safe from XSS?

Question

I've gone off and overridden devise's devise_error_messages! in the DeviseHelper module to return a differently formatted response as suggested here: rails - Devise - Handling - devise_error_messages

However part of what I did was to include the results of alert like so:

def devise_error_messages!

  # if there aren't any errors, just return a blank string
  return '' if (resource.errors.empty? && !alert)

  # go through each of the messages and add a <br> onto the back of it
  messages = resource.errors.full_messages.map { |msg| msg << "<br>" }.join

  # if there are also alerts, add that to the end of messages
  if alert
    messages << alert
  end

  # add div around messages
  messages = "<div class='errorbox'>" << messages << "</div>"

  # return messages in an html safe format
  messages.html_safe

end

This way I can have the devise_error_messages! in any page that needs them, and it'll just return the right answer. (E.g. devise's Sign Up form returns it's errors through devise_error_message! while the login form returns in through alert).

What I want to know is if I can be guaranteed that the output of alert won't lead to any Cross Site Scripting. I am assuming that the output of resource.errors.full_messages is safe since the original devise_error_messages! method returns messages.html_safe and I'd trust that they wouldn't let it be at risk of any XSS.

However since alert is suggested to be used in an erg output (e.g. <%= alert %>) where any injected code would be escaped by default, is there any occasion, where code could be injected in, thus making use of .html_safe potentially quite hazardous?

tl;dr - is it safe to use alert.html_safe?

Devise makes use of `flash[:alert]` and `flash[:notice]` to send warnings and it can be referenced as just `alert` or `notice`. When installing the Devise gem one of the instructions it gives is "Ensure you have flash messages in app/views/layouts/application.html.erb. For example: `
<%= notice %>
<%= alert %>
`" Not entirely sure where it comes from besides that, but it works. — SCB, Feb 27 '14 at 08:41

score 2 · Accepted Answer · answered Feb 27 '14 at 08:46

2

Unless you're modifying Devise's messages to add in user-provided content, or specifying custom flash messages with user-provided content, there's nothing to worry about.

All of Devise's flash messages are stored in config/locales/devise.en.yml.

answered Feb 27 '14 at 08:46

sevenseacat

24,699
6
63
88

Thanks, though is there a risk that at some time, if the creator of the server programmed something specific enough, that something like the `resource` in `"1 error prohibited this %{resource} from being saved:"` could be abused? I know this isn't going to be a problem with what users can do in my application, though more just out of general interest. – SCB Feb 27 '14 at 09:07
1

`resource` is the name of your Devise model (eg. user), so it can't really be a problem. – sevenseacat Feb 28 '14 at 01:56

score 0 · Answer 2 · answered Feb 27 '14 at 09:27

0

Not entirely an answer, since sevenseacat answered that it should be safe, though I was looking around a bit and found this quite relevant, hopefully it'll help people with similar problems.

If I were to be very pedantic about it, I could enclose alert inside h() like this:

if alert
  messages << h(alert)
end

This would ensure that any html in alert would be escaped while I can be sure that the rest of messages is HTML safe.

answered Feb 27 '14 at 09:27

SCB

5,821
1
34
43

1

sometimes you might want to put your own HTML in a flash message, though. – sevenseacat Feb 28 '14 at 01:55

Is rails devise's 'alert' safe from XSS?

2 Answers2