Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using Ruby on Rails 3.1.0 and I would like to focus on security on using the I18n gem for internationalization purposes.
At this time I have:
# in .yml file
key_1_html: "%{var_1} is just a test"
# in view, controller and model files
I18n.t('key_1_html', :var_1 => 'Test variable')
The Test variable is/represent an input from users so I should consider that as a potential hacking.
What could/should I do to care about security in my case?
Under normal Rails (3.x) usage, you don’t have to do anything.
Even if some HTML code or javascript gets into the string returned from i18n, if you are outputting strings returned from i18n in ordinary ways, any HTML in them (whether from the template or the variable) will be escaped and show up as literal source in the webpage.
You’d have to manually mark a string returned by i18n as .html_safe to get it to be delivered as html source.
So don’t do that.
Try it yourself, and see.
Now output that in an ERB template, see what happens.
If you’re doing something odd with i18n other than outputting it through typical Rails templates to the browser, then you’ll need to say what, and what your concern is.
I think maybe this guide is what you’re looking for, for an overview of Rails security issues:
http://guides.rubyonrails.org/security.html
See Section 8 on “Injection”.