On Saturday, December 14, 2013 3:36:27 AM UTC, Derek Chadwell wrote:
>
> The javascript is awfully long so I won't post it here, but it can be
> viewed at
> https://github.com/ubilabs/geocomplete/<https://www.google.com/url?q=https%3A%2F%2Fgithub.com%2Fubilabs%2Fgeocomplete%2F&sa=D&sntz=1&usg=AFQjCNE-CV2SZPgLIzjWDtaM9jh_kNJ0Ng>.
> I think all you would need to know about it is that it defines
> attributes for a found google address and then fills in fields on a page
> whose names match the attribute names in the jquery. Of those, I am only
> interested in "lat" and "lng" for now.
>
> My question is around the right way to do this. Should I do something to
> force the "lat" and "lng" variables into the Locations hash so I can
> .permit() those keys and keep my program safe? Should I not worry about it
> and soldier on? Is there something inherently wrong with my use of the
> name symbols with the fields_for functionality? A consult is very welcome.
>
>
First off it looks like the plugin will, instead of looking at the name
attribute look at the attribute of your choice if you ask it to. The
example in the docs reads
<div class="details">
Latitude: <span data-geo="lat" />
Longitude: <span data-geo="lng" />
Address: <span data-geo="formatted_address" />
Country Code: <span data-geo="country_short" /></div>
$("input").geocomplete({
details: ".details",
detailsAttribute: "data-geo"});
Which seems to suggest that it would then use the data-geo attribute to
locate the fields.
As far as security goes, you should be ok as it is. The reason things like
strong parameters (and previously attr_accessible) is that we're trying to
have all of the convenience of SomeClass.create(params[:some_class]) but
with the safety that comes from explicitly saying what should be assigned
(so that people can't add extra params to the hash and have us blindly
assign them) eg
object = SomeClass.new
object.foo = params[:foo]
object.bar = params[:bar]
which is tedious. There isn't anything wrong from a security point of view
with the tedious way: no one can add extra parameters and have you
unwittingly used them.
The only extra thing strong_parameters does is reject parameters of
unexpected types. There have been in the past vulnerabilities due to
arrays, nils, hashes etc. being passed when the programmer expected strings
or numbers (although if my memory is correct that was to do with those
values being passed to where().
To replicate that protection, all you would have to do is
@location.coordinates = [params[:lng].to_f,params[:lat].to_f]
Fred
--
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/rubyonrails-talk/f31231c3-e425-4443-bc42-5e7107066516%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
