When to use the 'sanitize' method in view files?
I am using Ruby on Rails 3.0.9 and I would like to know when I MAY, SHOULD and MUST use the sanitize(...)
method for security reason开发者_如何学Pythons.
An usage example can be:
sanitize(flash[:notice])
You should use it whenever you are displaying data which as been input by the user, i.e. it cannot be trusted.
For example in a chat application a user can write posts which are then displayed on the page. In this case it is important to sanitize the input.
If you don't sanitize the input, the user can inject HTML and Javascript code into your page, which affects all other users viewing the same page. This way the attacker can gain complete control over the page.
On the other hand it is not necessary to sanitize data your application created, i.e. in your example (sanitize(flash[:notice])
) is not necessary. (Assuming you are using flash
to display status messages created by your application)
精彩评论