I have my working blog that uses comments and works very well, now im focusing on the securirty so which is the best way to secure the comments of the people in your app to avoid malicious code be included? Im only using the h() function when displaying it on the admin zone(so the admin session its valid) but i dont know if thats enough or im missing something. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> Im only using the h() function when displaying it on the admin zone(so > the admin session its valid) but i dont know if thats enough or im > missing something.1. Protect against SQL injection by using bind variables in your code. 2. When you populate your model object from form use attr_protected to prevent malicious users from accessing fields that are not intended for users to populate (like approved, paid field etc) 3. Always check the id parameter to make sure that id parameter belongs to that user to avoid exposing records that belongs to other users. 4. Protect all methods that are not supposed to be invoked from the URL by using protected or private key word for those methods. 5. Don''t run ftp server or echo server on your production machine. 6. Use https protocol for sensitive data 7. Don''t cache authenticated pages. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 10/25/06, Joselo <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > I have my working blog that uses comments and works very well, now im > focusing on the securirty so which is the best way to secure the > comments of the people in your app to avoid malicious code be included? > > Im only using the h() function when displaying it on the admin zone(so > the admin session its valid) but i dont know if thats enough or im > missing something. > > -- > Posted via http://www.ruby-forum.com/. > > > >You are correct - h() is not enough. Check out the excellent White-listing plugin by Rick Olson at http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails. Hope this helps, Zack --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---