On Sun, Feb 12, 2006 at 11:30:31AM -0600, David Heinemeier Hansson wrote:
> > I don't personnaly use Basecamp, but if I remember correctly, many
> > people view the pages, so what prevents a bad user from doing:
> >
> > <a href="some link" onclick="do potentially bad thing here">Click me !</a>
> 
> Basecamp is account restricted. You have to be invited and accept the
> invitation to become part of a project and see the content. In this
> context, the ability of being able to use HTML outweighs the
> risk/impact of malicious users (you usually just participate in
> projects with people you know).
> 
> On a public forum, it's different. I wouldn't want to allow HTML there.

Allowing that there are some apps which must not allow _any_ script
injection (e.g. a bank loan system where the first privacy leak is
already a disaster), how about a mix of helpers/features that let one
optimize for local style?  i.e. let coders carve out areas that should
be input escaped, input filtered or output escaped.

Favor seldom-write/many-read performance
 * escape_html :var model method to escape input in model typecasting/wherever;
   use straight <%= foo %> on output

Allow html-rich content
 * safe_html :var model method to filter for a clean (programmable) subset

Be backward compatible
 * add a <%~ foo %> style to ERB, equivalent to <%= h foo %>

I have html filter code (albeit Java) -- I'll dig it up.  I can write
an erb patch for the Ruby folks.

Thoughts?

-jeremy
_____________________________________________________________________
jeremy wohl ..: http://igmus.org
_______________________________________________
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core

Reply via email to