Securing the views


#1

Hi,

what about writing <%= h(@foo) %> in the view? I heard it’s necessary
for every information out of the database, I just couldn’t find any
information 'bout that?

… and what about writing -%> ? What’s that for? In which situation?

Greetings
Mario


#2

On 10 Nov 2008, at 22:12, Mario Peterscheck wrote:

Hi,

what about writing <%= h(@foo) %> in the view? I heard it’s necessary
for every information out of the database, I just couldn’t find any
information 'bout that?

That escapes the text, ie < becomes &lt and so on. If users are just
inputting raw text this prevents against them using characters which
have special significance whether malicious (users trying to insert
funny tags into the page) or not (users don’t have to know about
writing & instead of &)

… and what about writing -%> ? What’s that for? In which situation?

That’s to do with suppressing the empty lines you would otherwise get
in the output for stuff like
<% if … %>

<% end %>


#3

what about writing <%= h(@foo) %> in the view? I heard it’s necessary
for every information out of the database, I just couldn’t find any
information 'bout that?

You can also use <%= sanitize @foo %> that will allow only a few
unhamrful html tags that you choose.


#4

Thanks guys, quick and essential. Having some work now changing some
code :wink: