itsastickup wrote: > Ok, thanks for that. > > Here's an example of what I mean: > > I want to let the user click a user provided url. That url could be > composed of javascript. I am asusming h() won't help for this > situation. Is my only option whitelisting? > > If whitelisting is it then I would prefer not to trust myself to the > (rather fragile) url Regex's out there. How do I know they won't leak? > These security guides often don't tell how, just that you must. And > there is no standardised library that I know of.
Thanks for this further explanation. What you are describing is a little different than what I understood from the OP. Basic rule of thumb is "Never trust ANY user input!" This is especially true if you are accepting URL's from users. In this case since you are taking a URL as an input parameter from the user then you certainly should sanitize that input using html_escape (i.e. h) method when outputting the value. It might even be safer in this case to sanitize the input value before saving it to the database or other persistent storage. This should ensure that any attempt to inject JavaScript, or other unsafe user input, get treated as literal text. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
