On 16 March 2010 11:41, Jeremy Chase <[email protected]> wrote: > things > should just be sanitized before insertion into the DB and forgo the h(). > Just my opinion. I still use h() and sanitize()
Two problems with that: The first and smallest is an annoyance. If I want to save my blog in a db, and I write a post that has the content: "Never use '<' in your HTML; use '<' instead" ...this will get written to the DB as: "Never use '>' in your HTML; use '>' instead" ...which then gets encoded with h() in a view as: "Never use '&gt;' in your HTML; use '&gt;' instead" ...or if just output straight to the view "because it was sanitized before putting it in the DB" as: "Never use '<' in your HTML; use '<' instead" You'll have seen this happen on *loads* of bulletin boards and feedback comments all over the web. Adjusting the user's input before storing it in the db is "bad", because you can never reverse it without all sorts of unreliable hoops. Just store what they typed, and whenever you deal with it assume it's highly-toxic. The second problem is an arrogant presumption that the only place that will ever use this user-supplied data is in the rendering of an HTML page. But what happens when you're storing details, say of an order placed, and the user enters their special delivery comments : "Please knock & wait for >5mins" You store this as: "Please knock & wait for <5mins" ...because you *know* you're going to have to display it in a confirmation page on the web site and you don't want to worry about encoding it there every time, but you forget that you might want it put into a PDF that's generated for the delivery driver, or use it in a JS function on the web page, or include it in a field of a CSV export. In each of these instances, you're going to have to decode it back from the "safe" HTML encoded version to the user input (I refer you to my first point; that you can not reliably do this :-) before encoding it however you need for your new use. Life is much easier if you just store what they typed and deal with it when you use it... -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
