Hi, i don''t know when to sanitize, i''ve some user''s input and i think it''s a good idea to sanitize it, but i don''t know if do it when i save the data in the database or every time i show it in the view maybe it''s better for the performance do it before instead of every time, what do you think? are there cons to sanitize data before save it? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
nick wrote:> Hi, i don''t know when to sanitize, i''ve some user''s input and i think > it''s a good idea to sanitize it, but i don''t know if do it when i save > the data in the database or every time i show it in the view > maybe it''s better for the performance do it before instead of every > time, what do you think? > are there cons to sanitize data before save it?help :( -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I do my sanitizing before I put the data in the table. I have the following function in application.rb: include ActionView::Helpers::TextHelper def clean_up(input) sanitize(strip_tags(input.strip)) unless input==nil end If you want to strip out HTML even better, take a look at the WhiteListHelper plugin: http://www.agilewebdevelopment.com/plugins/whitelist Kind regards, Nick Snels -- http://railshostinginfo.com Compare and review Rails hosting -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Nick Snels wrote:> I do my sanitizing before I put the data in the table.Yeah this is the right way to do it (sanitize on input). I don''t know why the "standard" why (as promoted in Agile book I believe) only stresses escaping output. The advantages of doing it at input: -Only have to do it once versus having to use functions like h() many times for the same data (what about DRY?). -If other apps use your data you do not have to rely on them doing the right thing. Really I think a lot of XSS issues could be avoided if frameworks like this would _sanitize by default_ and require sanitization to be specifically turned off. I suppose it should be pretty straightforward to put a :before_filter in application.rb that cleans up params? Carl -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Carl Johnson wrote:> > Nick Snels wrote: >> I do my sanitizing before I put the data in the table. > > Yeah this is the right way to do it (sanitize on input). I don''t know > why the "standard" why (as promoted in Agile book I believe) only > stresses escaping output. > > The advantages of doing it at input: > > -Only have to do it once versus having to use functions like h() many > times for the same data (what about DRY?). > -If other apps use your data you do not have to rely on them doing the > right thing.The one advantage of not storing sanitized and escaped versions is that if the user enters something like <b>Abcde</b> in a text field, they will see exactly what they entered in both h-escaped text, and in re-filled forms, while if an escaped version has been stored they will see <b>Abcde</b> in the text box. -- We develop, watch us RoR, in numbers too big to ignore. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Mark Reginald James wrote:> The one advantage of not storing sanitized and escaped versions > is that if the user enters something like > > <b>Abcde</b> > > in a text field, they will see exactly what they entered in both > h-escaped > text, and in re-filled forms, while if an escaped version has been > stored > they will see > > <b>Abcde</b> > > in the text box. > > -- > We develop, watch us RoR, in numbers too big to ignore.so it''s better to escape the html win output and not in input? but so there''re are dry and performance problems -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
and what do you think about a validates_format_of which check that there isn''t any < and > ? obviously only in fields like name, surname, street, etc...for other maybe it''s better sanitize and if i do this expression do you think I''ll need also to do an html escape? (just to be sure, the expression is like: /^[<>]$/ ?) thanks :o) -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---