Dennis_Byrne@ak.blm.gov
2006-Jul-13 17:29 UTC
[Rails] script injection/cross-site scripting protection
When is it possible to set <script>while(true){}</script> as the
value of
project.name, what it the best way to escape the output of the following?
<td><%= project.name %></td>
Dennis Byrne
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
http://wrath.rubyonrails.org/pipermail/rails/attachments/20060713/bbdedb86/attachment.html
Jeremy Evans
2006-Jul-13 19:21 UTC
[Rails] script injection/cross-site scripting protection
On 7/13/06, Dennis_Byrne@ak.blm.gov <Dennis_Byrne@ak.blm.gov> wrote:> When is it possible to set <script>while(true){}</script> as the value of > project.name, what it the best way to escape the output of the following? > > <td><%= project.name %></td><td><%=h project.name %></td>
Kevin Olbrich
2006-Jul-13 19:28 UTC
[Rails] script injection/cross-site scripting protection
On Thursday, July 13, 2006, at 9:28 AM, wrote:>When is it possible to set <script>while(true){}</script> as the value of >project.name, what it the best way to escape the output of the following? > ><td><%= project.name %></td> > >Dennis Byrne > > >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/rails >like this.. <td><%= h project.name %></td> h() is a shortcut for html_escape, and should be used for any text output in a view that could be malicious. I seem to recall support was added to ERB a while back to make this the default behavior. _Kevin -- Posted with http://DevLists.com. Sign up and save your mailbox.
Bill Walton
2006-Jul-13 19:31 UTC
[Rails] script injection/cross-site scripting protection
Hi Dennis, Dennis_Byrne wrote:> When is it possible to set <script>while(true){}</script> > as the value of project.name,Not sure I understand this. Is it something you want to do? Or something you''re trying to protect against?> what it the best way to escape the output of the following? > <td><%= project.name %></td><%=h project.name %> is the standard way of escaping output in Rails. hth, Bill
Dennis_Byrne@ak.blm.gov
2006-Jul-13 20:05 UTC
[Rails] script injection/cross-site scripting protection
OK, just use h. Thanks to Kevin and Bill. Dennis Byrne Kevin Olbrich <devlists-rubyonrails@devlists.com> Sent by: rails-bounces@lists.rubyonrails.org 07/13/2006 09:42 AM Please respond to rails@lists.rubyonrails.org To rails@lists.rubyonrails.org cc Subject Re: [Rails] script injection/cross-site scripting protection On Thursday, July 13, 2006, at 9:28 AM, wrote:>When is it possible to set <script>while(true){}</script> as the value of >project.name, what it the best way to escape the output of the following? > ><td><%= project.name %></td> > >Dennis Byrne > > >_______________________________________________ >Rails mailing list >Rails@lists.rubyonrails.org >http://lists.rubyonrails.org/mailman/listinfo/rails >like this.. <td><%= h project.name %></td> h() is a shortcut for html_escape, and should be used for any text output in a view that could be malicious. I seem to recall support was added to ERB a while back to make this the default behavior. _Kevin -- Posted with http://DevLists.com. Sign up and save your mailbox. _______________________________________________ Rails mailing list Rails@lists.rubyonrails.org http://lists.rubyonrails.org/mailman/listinfo/rails -------------- next part -------------- An HTML attachment was scrubbed... URL: http://wrath.rubyonrails.org/pipermail/rails/attachments/20060713/076ff5f8/attachment.html