Re: two security questions

Thu, 12 Aug 2010 11:12:47 -0700 

This example worked here:

    require 'rubygems'
    require 'rack/csrf'
    require 'camping'
    require 'camping/session'

    Camping.goes :Hello

    module Hello
      use Rack::Csrf
      include Camping::Session
    end

    module Hello::Controllers
      class Index
        def get
          Rack::Csrf.csrf_token(@env)
        end
      end
    end

Notice that you'll have to reverse the `use`-lines. Maybe we should
file that as a bug? Since it works the other way both in Rackup files
and Sinatra?

// Magnus Holm



On Wed, Aug 11, 2010 at 21:33, David Susco <[email protected]> wrote:
> Ted,
>
> Do you use Camping::Session with Rack::Csrf? If so, how did you get it
> to work? Once I include Camping::Session the csrf_token changes every
> time I call the method.
>
> Can anyone explain what include Camping::Session is actually doing?
>
> Dave
>
> On Mon, Aug 9, 2010 at 12:22 PM, Ted Kimble <[email protected]> wrote:
>> For cross-site request forgery protection I've simply used the
>> Rack::Csrf middleware before (http://github.com/baldowl/rack_csrf).
>> The github page is pretty self explanatory.
>>
>> For Haml, you should just be able to set its :escape_html option to
>> true and then
>>
>>    %p= @something_nasty
>>
>> will be escaped by default. See:
>>
>> http://haml-lang.com/docs/yardoc/file.HAML_REFERENCE.html#escape_html-option
>>
>> for more info.
>>
>> Best,
>> Ted
>>
>> On Mon, Aug 9, 2010 at 9:15 AM, David Susco <[email protected]> wrote:
>>> Hey guys,
>>>
>>> What do people do to protect against cross-site request forgery? To
>>> mimic what rails does I was thinking of creating a unique key for each
>>> session, and then in my logged_in? helper checking if the key passed
>>> by the user matches the one I set in the session.
>>>
>>> On the second question, I'm using Tilt with Haml templates. Any idea
>>> how I can set Haml's :escape_html option so each template escapes all
>>> HTML within variables?
>>>
>>> --
>>> Dave
>>> _______________________________________________
>>> Camping-list mailing list
>>> [email protected]
>>> http://rubyforge.org/mailman/listinfo/camping-list
>>>
>> _______________________________________________
>> Camping-list mailing list
>> [email protected]
>> http://rubyforge.org/mailman/listinfo/camping-list
>>
>
>
>
> --
> Dave
> _______________________________________________
> Camping-list mailing list
> [email protected]
> http://rubyforge.org/mailman/listinfo/camping-list
>
_______________________________________________
Camping-list mailing list
[email protected]
http://rubyforge.org/mailman/listinfo/camping-list

Reply via email to