similar to: sanitize dangers

Yesterday, I was doing a dog-and-pony for the head of the company that I work for. He asked, "Is this (a rails application) secure?" I said, "It''s as secure as anything else on the web is," and proceeded to talk about how the data was protected, how we weren''t saving anything that''s worth protecting, and so on. I''d like to have a better

Haven''t been able to find a good enough answer on whether using sanitize() is enough to really protect me from XSS attacks I basically have a blog page that I want to allow people to display comments on but would like to allow html tags to be posted on the comments, these could html tags like the imageshack img tags, youtube player, photobucket img tags etc any other approaches or

I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called

I''m trying to use a different layout for just one action in my controller, all the other actions use the application.rhtml layout, so what i''m doing is ... class SomeController < ApplicationController layout "simple", :only=> :some_action ...... end and the "simple" layout is applied to all the actions, can someone please give me a hint?

I am a total RoR virgin, and took my first steps this weekend into the Ruby world. A lot of sites I create need to be as SEO friendly as possible, particularly for google. Before I delve any further, can anyone tell me how friendly the dynamic URLs or if there is the usual rewrite mod for rugby? Thanks Mike -- Posted via http://www.ruby-forum.com/.

So I''ve googled my brains out, and I see a lot of talk about TextHelper for views, but next to no discussion about cleaning text _before_ it is saved. I figured this had to be asked 4 zillion times, but I''m not finding anything concrete/obvious. Using h is fine as a safety catch, but that alone is not acceptable to me as the means of diffusing the impact of HTML or JS

I have a few pages where a user may do something (add tags, login, etc) and I would like to redirect them back to the last page they were at before calling that action. Is there an easy way to do this? -- Posted via http://www.ruby-forum.com/.

is there a way to replace unkown action error with a pretty 404 page ? I set the ErrorDocument 404 in .htaccess, however when someong goes to http://www.mysite.com/bogus i would like it to show a 404 error instead of just "Uknown action". Is this possible with a rescue or something? adam -------------- next part -------------- An HTML attachment was scrubbed... URL:

Hi All, I have been using Ruby and Rails for only a few short days and I am loving it so far. I have a couple of questions relating to a specific project I am working. 1. I am wondering about sessions expiring after a set period of in activity and what would be the easiest way to set it up. 2. I would like to be able to users on the system. Each of these users has a login of there own. Each

Hiall, Is it possible to organize my model files below app/models into subfolders? E.g. I would like to put admin related models into their own subfolder. This kind of structuring works for controllers and views (scaffolding creates the right subfolder-model mappings), but app/models always stays flat. I''d really like to be able to group my code into logical, well packages :-) Yes, I

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Hi, I need to allow login based on the phone number. During the signup they can give the number in any format with spaces, slash or (). But for storing in database and then during login to compare I just want the 10 digit number. How can I remove the special char from phone number before storing to db ? Thanks. -- Posted via http://www.ruby-forum.com/.

How do I pass parameters from one controller to another during redirect_to command? I want to pass both model and non-model objects. The solution I use is via session, but I rather pass it as parameters to the redirect_to Thanks. -- Posted via http://www.ruby-forum.com/.

It seems the wiki-spam bot has been at work again. There are numerous hidden links toward the top of the page that might be better gardened out right away, if you know what I mean ;-| -- Posted via http://www.ruby-forum.com/.

I have an application where I am allowing users to upload (or refer the app. to) arbritrary HTML that I am (currently) displaying in an IFRAME on a page. The users will be authenticated so it''s not open to the entire universe. I was always uneasy with this, but after reading the security chapter of AWDWR, I am even more concerned. What kinds of applications do people have out there

It''s really confusing to decide whether sanitize will help avoid XSS in case when :attributes => %w( style ) on stackoverflow, people say that it is not safe, yet the examples they give such as style="background-image: url(javascript:[code]);" is being filtered out using sanitize and all that is left is style="" is there a way to get a definite answer if

Hello! Does anybody know of a Ruby implementation of a HTML sanitizer that prevents the attacks described on the xss cheatsheet? (http://ha.ckers.org/xss.html) I checked out the version Jamis wrote (http://dev.rubyonrails.com/ticket/1277), but that only covers the very basic attacks. Anybody? Just figured I would ask before, before I reinvent the wheel.. Ciao! Florian

Hello, I have an interessting problem, I''m not sure how to solve :-) I have the name of a model in a variable like this: My model is called Article My var contains "Article" Now - How do I get the model class, so I can call Article.find, Article.new etc ... ? Greetings, Gitte Wange

I would like to put Ruby code inside a string, between <%= %> tags, and have the code inside the tags executed when the string is displayed. Is this possible? -- Posted via http://www.ruby-forum.com/.

Hello all I''m having an issue with ruby on rails, and it not throwing an error where it should. I have a class ''clientpool'' that is: class Clientpool < ActiveRecord::Base set_table_name "clientpool" set_primary_key "id" belongs_to :clients, :foreign_key => "cliname" validates_presence_of :cliname validates_associated :client end