Ok, thanks for that. Here's an example of what I mean:
I want to let the user click a user provided url. That url could be composed of javascript. I am asusming h() won't help for this situation. Is my only option whitelisting? If whitelisting is it then I would prefer not to trust myself to the (rather fragile) url Regex's out there. How do I know they won't leak? These security guides often don't tell how, just that you must. And there is no standardised library that I know of. On 25 Mar, 00:48, Robert Walker <[email protected]> wrote: > itsastickup wrote: > > Is there an issue with urls and security? How should I be encoding > > them? More than just h()? > > Firstly h() doesn't encode URLs. Secondly URL encoding is not about > security. URL encoding is used to convert characters in a URL to those > of the limited set of characters that are valid for URLs. > > See:http://www.w3schools.com/TAGS/ref_urlencode.asp > > The Rails security guide posted by Greg contains the information you > need to know to secure your Rails application. If you're querying about > the security of the transmission of data between the client user agent > (browser) and the web server, this is provided by the SSL/TLS protocol. > SSL/TLS is common to all web sites and applications that need to protect > the transmission of data across the internet, whether they be Rails or > static web pages. SSL/TLS is also used to protect against so called > "man-in-the-middle" attacks. SSL/TLS (as far as we know) makes it > impossible for one web server to "spoof" a legitimate server. The fake > site should never be able to acquire a valid certificate for a different > domain. > > Beyond that, there are also be security concerns in the client web > browsers themselves. But, that's not really your concern as an > application developer. That is unless you're the one trying to hack into > client machines though security vulnerabilities in client browsers, but > I trust that you're not. > -- > Posted viahttp://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
