Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I receive input in the form of URL strings (aka controller/action?example=yes), and I’m wondering if I need to escape the content of the string for security.
For example, if I assign the param to a variable:
example = params[:example].to_s
do I need to escape anything? or do I only apply h() when I put the value of :example back in the view file?
It depends on what you are doing with it, if you are worried of SQL injections , then you can trust ActiveRecord, like doing:
or
On the other side, the common strategy of filtering is on display side, so you save the input as is, and you filter on display(views) by using
h().If you still want to save some HTML input from the user like when doing in rich editors, then you have to pay extra attention to XSS attacks, and so you have to filter the input. One great gem for filtering HTML is Sanitize, use it to save a modified filtered version of user input to use it in views.