Rails has always had ways to sanitize the display of data and since 2.x there is even white-listing included. However, I think most of the time it gets the wrong end of things when user-provided data is sanitized on display. The unsanitary parts shouldn''t have been allowed in from the start. The right point, in my opinion, is in (or before) a controller''s #create and #update actions; not in the model, as I might want to allow the backend to insert data that a user couldn''t. Before I whip up my own solution, I''ve looked for plugins doing this, but didn''t find any. Is there already relevant code floating around? Michael -- Michael Schuerig mailto:michael-q5aiKMLteq4b1SvskN2V4Q@public.gmane.org http://www.schuerig.de/michael/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
When you sanitize, you assume that the data will be rendered in browser, because sanitization is all about removing things that may be harmful in that rendering environment. If you ever plan on offering other ways to render your data (say, for example, via an API to your service), then your pre-storage sanitization has not made anything safer, and has in fact caused data loss. On top of that, you have to sanitize again, to make the data safe for rendering in XML, JSON, or whatever other output formats your API may offer. So pre-storage sanitization is, generally speaking, a Bad Idea(tm). It''s a philosophical debate, of course, but that''s where I stand on it. Best Regards, Danny -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
This is crap! Someone who deliberately inserts malicious code into data does not deserve to see his data saved in the correct way. Sanitization must happen before data gets saved into the DB. Maybe someday you will forget to escape a field, and BOOOM it blows all over you. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---