> Quite the opposite. Keep it up. You're kicking ass.
I agree completely. My post was all praise :)
Kev
___
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/listinfo/rails-core
> Is there a problem with me cleaning out duplicate tickets and such? Koz
> mentioned using XPATCH
>
> for non-trivial patches without tests. I've also been going through patches
> which I find to be a welcome > addition and testing them against trunk and
> adding
> a tested tag to them or adding
Whoops, I guess it was Kevin Clark who wrote it. Sorry Tobias.
http://glu.ttono.us/articles/2006/02/11/acts-as-threaded
First a monster and now a manic, when my wife uses those terms, I KNOW I'm
doing something right. I didn't want to presume the same here.
Cheers,
Bob Silva
http://www.railtie.
On Sun, Feb 12, 2006 at 04:34:59PM -0800, Bob Silva wrote:
>I just read Tobias' blog where he calls me a "monster on" the Rails Trac
>system.
>
>Couldn't tell if he meant a nice furry cookie monster or mean
>mother-in-law type monster.
>
>Is there a problem with me cleaning ou
Hi,
I just read Tobias’ blog where he calls me a “monster
on” the Rails Trac system.
Couldn’t tell if he meant a nice furry cookie monster
or mean mother-in-law type monster.
Is there a problem with me cleaning out duplicate tickets
and such? Koz mentioned using XPATCH
for non
On Sun, Feb 12, 2006 at 11:30:31AM -0600, David Heinemeier Hansson wrote:
> > I don't personnaly use Basecamp, but if I remember correctly, many
> > people view the pages, so what prevents a bad user from doing:
> >
> > Click me !
>
> Basecamp is account restricted. You have to be invited and acce
This is an interesting idea. It's certainly easy at the moment to
forget the h on a field and open yourself up to XSS attacks.
Defaulting to h and having a way to get around it would be more
likely to show up problems in testing rather than in production. On
the other hand, it may be more
On 12.2.2006, at 19.18, Francois Beausoleil wrote:
2006/2/12, Tobias Luetke <[EMAIL PROTECTED]>:
By escaping the html your customers input you potentially disable a
lot of cool features.
For example we use html to make links in todo list items in basecamp
all the time. Couldn't do that if it w
> How is that operator different from <%=h my_string %>?
>
> Here's a suggestion: If you use html_escape more than regular output,
> bind your TextMate (or whatever editor) hotkey for ERb outputs to
> include the h by default. That'd be a very Less Software approach to
> doing the same.
Point tak
We did this in OpenACS where I used to contribute, and found it to be
a really bad idea, only too late.
Variable interpolation in OpenACS is done with @varname@, and to
avoid the HTML quoting, you have to say @varname;[EMAIL PROTECTED]
The reasons are the same as stated here:
1) It turns o
> Isn't Textile quite suited to this sort of task ? Wouldn't it be safer ?
It's suited some times for some of the tasks. But its not a general
purpose replacement for HTML.
> I don't personnaly use Basecamp, but if I remember correctly, many
> people view the pages, so what prevents a bad user f
> A different approach might be to leave <%= alone and introduce a
> different ERB operator that is XSS safe, perhaps <%: ... my point is
> there are probably lots of different ways to attack this problem.
How is that operator different from <%=h my_string %>?
Here's a suggestion: If you use htm
Then that user is a jerk and is kicked out of basecamp.
> I don't personnaly use Basecamp, but if I remember correctly, many
> people view the pages, so what prevents a bad user from doing:
>
> Click me !
--
Tobi
http://shopify.com - modern e-commerce software
http://typo.leetsoft.com - Ope
2006/2/12, Tobias Luetke <[EMAIL PROTECTED]>:
> By escaping the html your customers input you potentially disable a
> lot of cool features.
>
> For example we use html to make links in todo list items in basecamp
> all the time. Couldn't do that if it was escaped.
Isn't Textile quite suited to thi
By escaping the html your customers input you potentially disable a
lot of cool features.
For example we use html to make links in todo list items in basecamp
all the time. Couldn't do that if it was escaped.
On 2/12/06, Francois Beausoleil <[EMAIL PROTECTED]> wrote:
> Am I reading this right ?
In one case two years ago (not a Rails app but it would have been) the
QA team verifying the app we built had some sort of automated tool
that checked for XSS vulnerabilities to the extreme and forced us to
address each and every one of them, despite the fact that it was an
internal-facing webapp.
> Looks like the flash lost its reset mojo with the commits last night. Its
> staying persistent now.
Fixed. Thanks for reporting.
--
David Heinemeier Hansson
http://www.loudthinking.com -- Broadcasting Brain
http://www.basecamphq.com -- Online project management
http://www.backpackit.com -- P
Allow me to chime in with the fact that this would work poorly for
applications that actually allow user-inputted HTML, such as Basecamp.
I would not want to do <%=unescape_h on all of my outputs to negate
the effects of this.
But as others have suggested, plugins are a great way of changing
Rails
Hi !
2006/2/12, Tobias Luetke <[EMAIL PROTECTED]>:
> huh? that would break url_for, link_to, textilize, markdown and every
> single other helper which outputs html tags. I use the h helper in
> like 3 different places in shopify, thats definitely the exception.
Am I reading this right ? 3 places
@ nathaniel
I am agains doing h on all <%=, but why not just write a plugin? see how
it works? sometimes it takes a extra step to convince people.
Stefan Kaes wrote:
Nathaniel S. H. Brown wrote:
As I said before, I (or we, for whoever is in support) can solve the minor
details, and provide s
Bob Silva wrote:
Looks like the flash lost its reset mojo with the commits last night. Its
staying persistent now.
There are several problems with changesets 3580 and 3581. I'm investigating.
-- stefan
--
For rails performance tuning, see: http://railsexpress.de/blog
Subscription: http://ra
Looks like the flash lost its reset mojo with the commits
last night. Its staying persistent now.
Bob Silva
http://www.railtie.net/
___
Rails-core mailing list
Rails-core@lists.rubyonrails.org
http://lists.rubyonrails.org/mailman/lis
Hi Guys,
I’ve submitted a new patch (3811) to resolve all the
issues with the date_helper library.
It also makes time values play nice with AR and scaffolding.
I’m hoping I can get some people to help out with
testing it (it passes all the original unit tests, plus 24 new ones), its
Nathaniel S. H. Brown wrote:
As I said before, I (or we, for whoever is in support) can solve the minor
details, and provide solutions with a little bit of creativity. I am of the
opinion that if you see points such as the ones you mentioned, you may also
be able to see how to fix them, if y
> One idea might be to have any helper method to have a wrapper around it,
> which is cleaned after using the <%= method. Such an example,
>
> Such as link_to(:controller => 'xss', :action => 'safe') in it's raw state
> appends and prepends the {{SAFE}} and {{/SAFE}} string, which it's contents
> a
> On 2/12/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote:
> > As I said before, I (or we, for whoever is in support) can
> solve the
> > minor details, and provide solutions with a little bit of
> creativity.
> > I am of the opinion that if you see points such as the ones you
> > mentione
On 2/12/06, Nathaniel S. H. Brown <[EMAIL PROTECTED]> wrote:
> As I said before, I (or we, for whoever is in support) can solve the minor
> details, and provide solutions with a little bit of creativity. I am of the
> opinion that if you see points such as the ones you mentioned, you may also
> be
As I said before, I (or we, for whoever is in support) can solve the minor
details, and provide solutions with a little bit of creativity. I am of the
opinion that if you see points such as the ones you mentioned, you may also
be able to see how to fix them, if you so desire. I have some suggestion
28 matches
Mail list logo
