Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using Ruby on Rails 3.0.9 and I would like to know when I MAY, SHOULD and MUST use the sanitize(...) method for security reasons.
An usage example can be:
sanitize(flash[:notice])
You should use it whenever you are displaying data which as been input by the user, i.e. it cannot be trusted.
For example in a chat application a user can write posts which are then displayed on the page. In this case it is important to sanitize the input.
If you don’t sanitize the input, the user can inject HTML and Javascript code into your page, which affects all other users viewing the same page. This way the attacker can gain complete control over the page.
On the other hand it is not necessary to sanitize data your application created, i.e. in your example (
sanitize(flash[:notice])) is not necessary. (Assuming you are usingflashto display status messages created by your application)