Forum: Ruby on Rails Help with sanitize and escaping

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
nick (Guest)
on 2007-01-19 15:41
Hi, i don't know when to sanitize, i've some user's input and i think
it's a good idea to sanitize it, but i don't know if do it when i save
the data in the database or every time i show it in the view
maybe it's better for the performance do it before instead of every
time, what do you think?
are there cons to sanitize data before save it?
nick (Guest)
on 2007-01-19 21:03
nick wrote:
> Hi, i don't know when to sanitize, i've some user's input and i think
> it's a good idea to sanitize it, but i don't know if do it when i save
> the data in the database or every time i show it in the view
> maybe it's better for the performance do it before instead of every
> time, what do you think?
> are there cons to sanitize data before save it?

help :(
Nick S. (Guest)
on 2007-01-19 23:33
I do my sanitizing before I put the data in the table. I have the
following function in application.rb:

include ActionView::Helpers::TextHelper

def clean_up(input)
  sanitize(strip_tags(input.strip)) unless input==nil
end

If you want to strip out HTML even better, take a look at the
WhiteListHelper plugin:
http://www.agilewebdevelopment.com/plugins/whitelist

Kind regards,

Nick S.
--
http://railshostinginfo.com
Compare and review Rails hosting
Carl J. (Guest)
on 2007-01-19 23:58
Nick S. wrote:
> I do my sanitizing before I put the data in the table.

Yeah this is the right way to do it (sanitize on input). I don't know
why the "standard" why (as promoted in Agile book I believe) only
stresses escaping output.

The advantages of doing it at input:

-Only have to do it once versus having to use functions like h() many
times for the same data (what about DRY?).
-If other apps use your data you do not have to rely on them doing the
right thing.

Really I think a lot of XSS issues could be avoided if frameworks like
this would _sanitize by default_ and require sanitization to be
specifically turned off.

I suppose it should be pretty straightforward to put a :before_filter in
application.rb that cleans up params?

Carl
Mark Reginald J. (Guest)
on 2007-01-20 12:33
(Received via mailing list)
Carl J. wrote:
> -Only have to do it once versus having to use functions like h() many
> times for the same data (what about DRY?).
> -If other apps use your data you do not have to rely on them doing the
> right thing.

The one advantage of not storing sanitized and escaped versions
is that if the user enters something like

   <b>Abcde</b>

in a text field, they will see exactly what they entered in both
h-escaped
text, and in re-filled forms, while if an escaped version has been
stored
they will see

   &lt;b&gt;Abcde&lt;/b&gt;

in the text box.

--
We develop, watch us RoR, in numbers too big to ignore.
nick (Guest)
on 2007-01-20 13:51
Mark Reginald J. wrote:
> The one advantage of not storing sanitized and escaped versions
> is that if the user enters something like
>
>    <b>Abcde</b>
>
> in a text field, they will see exactly what they entered in both
> h-escaped
> text, and in re-filled forms, while if an escaped version has been
> stored
> they will see
>
>    &lt;b&gt;Abcde&lt;/b&gt;
>
> in the text box.
>
> --
> We develop, watch us RoR, in numbers too big to ignore.

so it's better to escape the html win output and not in input? but so
there're are dry and performance problems
nick (Guest)
on 2007-01-21 00:09
and what do you think about a validates_format_of which check that there
isn't any < and > ? obviously only in fields like name, surname, street,
etc...for other maybe it's better sanitize
and if i do this expression do you think I'll need also to do an html
escape?
(just to be sure, the expression is like: /^[<>]$/ ?)
thanks :o)
This topic is locked and can not be replied to.