It is because I am trying to distinguish between "real bugs" and bad input (a 400 error) that I don't want this to be a 500 error. I have a rescue action that sends me an email when a 500 error occurs (though it limits the number it sends) because if there is a bug in the program that users are running into, I want to know about it. I don't want to get those alerts every time someone intentionally sends bad input. It seems to me that the convenience of having sanitize just handle the exception outweighs the possibility of missing bugs involving sanitize calls (which seems slight to me, though maybe I am not thinking of some use case).
Thanks for the suggestion of adding a rescue. I might just patch sanitize locally so I don't have to type the rescue each time. On Thu, Sep 12, 2013 at 10:38 AM, Matt Jones <[email protected]> wrote: > It's unclear to me why you *wouldn't* want a 500 ISE here. Silently > swallowing ArgumentError or NoMethodError is a terrible idea, since it also > can obscure real bugs. > > If you really want that behavior, try: > > <%= sanitize(params[:name]) rescue '' %> > > --Matt Jones > > On Thursday, 12 September 2013 09:26:18 UTC-5, Paul E. G. Lynch wrote: > >> In this case it is user (hacker, scanner, etc.), not the programmer, who >> has passed the illegal argument. I don't think that should result in a 500 >> server error. To avoid that, either the programmer has to check each input >> parameter to make sure it is a string, or something like sanitize has to >> make the parameter safe. >> >> >> >> On Wed, Sep 11, 2013 at 7:21 PM, Robert Walker <[email protected]>wrote: >> >>> Paul Lynch wrote in post #1121214: >>> > If, in your view, you are expecting params[:name] to be a string, but >>> > actually rails has parsed it into {"."=>"1234"} (or something more >>> > malicious), then currently >>> > <%= sanitize(params[:name]) %> blows up because the hash does not >>> > respond >>> > the expected methods from the sanitize call. >>> > >>> > I could put in code to check that the params values I am sanitizing are >>> > strings, but it seems like it would be better for sanitize to handle >>> > that, >>> > and perhaps just return the empty string if the processing of the input >>> > raises an exception. >>> >>> Hum. It seems to me that "blowing up" is the right thing to do in this >>> scenario. More precisely an exception should be raised indicating a >>> programmer mistake of passing an illegal argument to a method expecting >>> a string. >>> >>> -- >>> Posted via http://www.ruby-forum.com/. >>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Ruby on Rails: Talk" group. >>> To unsubscribe from this topic, visit https://groups.google.com/d/** >>> topic/rubyonrails-talk/6P_**vm57_km8/unsubscribe<https://groups.google.com/d/topic/rubyonrails-talk/6P_vm57_km8/unsubscribe> >>> . >>> To unsubscribe from this group and all its topics, send an email to >>> rubyonrails-ta...@**googlegroups.com. >>> To post to this group, send email to rubyonra...@googlegroups.**com. >>> To view this discussion on the web visit https://groups.google.com/d/** >>> msgid/rubyonrails-talk/**c54d51850e1948568b77874beb9f21** >>> e1%40ruby-forum.com<https://groups.google.com/d/msgid/rubyonrails-talk/c54d51850e1948568b77874beb9f21e1%40ruby-forum.com> >>> . >>> For more options, visit >>> https://groups.google.com/**groups/opt_out<https://groups.google.com/groups/opt_out> >>> . >>> >> >> >> >> -- >> Paul Lynch >> National Library of Medicine >> > -- > You received this message because you are subscribed to a topic in the > Google Groups "Ruby on Rails: Talk" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/rubyonrails-talk/6P_vm57_km8/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/rubyonrails-talk/3042ea8d-7b0f-4080-9c95-1fe4202919ea%40googlegroups.com > . > > For more options, visit https://groups.google.com/groups/opt_out. > -- Paul Lynch National Library of Medicine -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CAP3VaCVKJSaRE7jBeYEqKKDWE5VKu5C-9o0jqyoHppMX-CZYZA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
