Help with sanitize and escaping


#1

Hi, i don’t know when to sanitize, i’ve some user’s input and i think
it’s a good idea to sanitize it, but i don’t know if do it when i save
the data in the database or every time i show it in the view
maybe it’s better for the performance do it before instead of every
time, what do you think?
are there cons to sanitize data before save it?


#2

nick wrote:

Hi, i don’t know when to sanitize, i’ve some user’s input and i think
it’s a good idea to sanitize it, but i don’t know if do it when i save
the data in the database or every time i show it in the view
maybe it’s better for the performance do it before instead of every
time, what do you think?
are there cons to sanitize data before save it?

help :frowning:


#3

I do my sanitizing before I put the data in the table. I have the
following function in application.rb:

include ActionView::Helpers::TextHelper

def clean_up(input)
sanitize(strip_tags(input.strip)) unless input==nil
end

If you want to strip out HTML even better, take a look at the
WhiteListHelper plugin:
http://www.agilewebdevelopment.com/plugins/whitelist

Kind regards,

Nick S.

http://railshostinginfo.com
Compare and review Rails hosting


#4

Mark Reginald J. wrote:

The one advantage of not storing sanitized and escaped versions
is that if the user enters something like

Abcde

in a text field, they will see exactly what they entered in both
h-escaped
text, and in re-filled forms, while if an escaped version has been
stored
they will see

<b>Abcde</b>

in the text box.


We develop, watch us RoR, in numbers too big to ignore.

so it’s better to escape the html win output and not in input? but so
there’re are dry and performance problems


#5

Nick S. wrote:

I do my sanitizing before I put the data in the table.

Yeah this is the right way to do it (sanitize on input). I don’t know
why the “standard” why (as promoted in Agile book I believe) only
stresses escaping output.

The advantages of doing it at input:

-Only have to do it once versus having to use functions like h() many
times for the same data (what about DRY?).
-If other apps use your data you do not have to rely on them doing the
right thing.

Really I think a lot of XSS issues could be avoided if frameworks like
this would sanitize by default and require sanitization to be
specifically turned off.

I suppose it should be pretty straightforward to put a :before_filter in
application.rb that cleans up params?

Carl


#6

Carl J. wrote:

-Only have to do it once versus having to use functions like h() many
times for the same data (what about DRY?).
-If other apps use your data you do not have to rely on them doing the
right thing.

The one advantage of not storing sanitized and escaped versions
is that if the user enters something like

Abcde

in a text field, they will see exactly what they entered in both
h-escaped
text, and in re-filled forms, while if an escaped version has been
stored
they will see

<b>Abcde</b>

in the text box.


We develop, watch us RoR, in numbers too big to ignore.


#7

and what do you think about a validates_format_of which check that there
isn’t any < and > ? obviously only in fields like name, surname, street,
etc…for other maybe it’s better sanitize
and if i do this expression do you think I’ll need also to do an html
escape?
(just to be sure, the expression is like: /^[<>]$/ ?)
thanks :o)