Hi
In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:
some_str.downcase.include?(user_supplied_str.downcase)
Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?
Should I increase $SAFE, use #taint, and filter out dangerous
characters?
Tobi
On 9/17/07, Tobi R. [email protected] wrote:
Hi
In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:some_str.downcase.include?(user_supplied_str.downcase)
Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?
No. Here it’s perfectly safe - you have to call eval to evaluate #{},
`` etc. Other dangerous actions might be “send”, “class_eval”, … but
here you are not using any of them.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs