Rails - Feb 2005 - Re: scaffold is vulnerable to xss - suggestion

>>http://manuals.rubyonrails.com/read/book/8
>>>
>>> covers xss and sql injection attacks (and the h() method mentioned
below).
> 
> 
> No, it doesn''t.
> 
> It explains how to make your page secure, but not how to make an scaffolded
> page secure.
> 
> I do want to keep my pages scaffolded, so my question is:
> 
> how do I make scaffold do the h function on all the data it displays?
You could use the script/generate scaffold method so you''d have code to
work from, rather than the runtime scaffolding stuff. Otherwise you''d 
have to actually get into the scaffolding generator itself to change 
what it produces.

See: http://wiki.rubyonrails.com/rails/show/Generators

> You could use the script/generate scaffold method so you''d have
code to
> work from, rather than the runtime scaffolding stuff. Otherwise
you''d
> have to actually get into the scaffolding generator itself to change
> what it produces.
>
> See: http://wiki.rubyonrails.com/rails/show/Generators
Thanks. that is exactly what I was looking for.

> Scaffolds are not for production. End of sentence.
> 
> Scaffolds are for rapid prototyping and testing.
> 
> After all, this is rails, not dBASEII.
> 
> Why in the good name of Frig would anyone want to put 
> -scaffolds- into a
> -production- app anyway?
If I may interject...

Like it or not, people ARE going to put scaffolds into production applications. 
At the moment, Rails is being touted as a "Zero to Sixty in Zero Seconds
Flat" development framework.  That is bringing alot of newcomers into the
fold (myself included), and not all of them are going to take the time and
effort to make their code secure.  Fair enough, it''s their own durn
fault... but what you don''t want is for Rails to get a bad reputation
as being insecure because of casual programmers'' errors.

Patient: "Doctor, it hurts when I do this."
Doctor:  "Then, stop doing that."

At the very least, perhaps it should be made explicitly clear that scaffolds are
not secure, and should be used with caution.  Not everyone reads the mailing
list.

clay.

-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.5 - Release Date: 2/3/2005