ruby on rails - Safe Erb plugin Implementation Issue -

-

i trying implement safe erb plugin in rails 2.0.2 app. using version project specific purposes along ruby 1.8.7.

i have referred following tutorials:

http://www.railslodge.com/plugins/430-safe-erb http://agilewebdevelopment.com/plugins/safe_erb

i make sense of above url's newbie rails , rails related plugins. found above tutorials generic.

i couldn't relate plugin's use great extent in terms of real world sense above tutorials. please enlighten me on usage on day day real world....?

i have implemented books appl has author, title , publishing date. facing issues implementing taint feature of plugin

in second tutorial, need call tainted? method objects class. have done in create method of books_controller.rb. code create method looks this:

 def create     @book = book.new(params[:book])    @book.publishing_date = params[:publishing_date]      respond_to |format|        if @book.save         flash[:notice] = 'book created.'         format.html { redirect_to(@book) }         format.xml  { render :xml => @book, :status => :created,  :location => @book }       else         format.html { render :action => "new" }         format.xml  { render :xml => @book.errors, :status =>  :unprocessable_entity }       end        if @book.tainted?         flash[:notice] = 'books tainted'         format.html { redirect_to(@book) }         format.xml  { render :xml => @book, :status => :created,  :location => @book }       else         flash[:notice] = 'books aren\'t tainted'         format.html { render :action => "new" }         format.xml  { render :xml => @book.errors, :status =>  :unprocessable_entity }       end      end

upon creating new book record notice saying "books aren't tainted". have copied plugin vendor/plugins directory.

as per second tutorial url "the string becomes tainted when read io, such data read db or http request."

but not happening in case when try create new book record. need explicitly taint string input taking(its in varchar per db types - guess shouldn't issue). if yes please tell me how it.

or

if not above case.. missing something?

any insights on appreciated.

thank you..

to begin with, if can move on rails 3 , ruby 1.9.2, please so. worth effort. rails 2.0.2 released in 2007 , @ least 3 years old. rails 3 provides better protection plugin, right out of box.

having said that, safe-erb appears providing xss protection. going through version of plugin @ https://github.com/abedra/safe-erb, won't need special anywhere in app work. install plugin in vendor/plugins , go. controller should without plugin. can away if tainted block.

the way plugin works hooking various parts of rails processing queue , doing taint management make views automatically throw error whenever there unescaped user text. use it, don't need in models , controllers. in views, make sure data passed through h before being displayed.


Comments

Post a Comment

Popular posts from this blog

python - Scipy curvefit RuntimeError:Optimal parameters not found: Number of calls to function has reached maxfev = 1000 -

-
Image
i want make logharitmic fit. keep getting runtime error: optimal parameters not found: number of calls function has reached maxfev = 1000 i use following script. can tell me go wrong? use spyder still beginner. import math import matplotlib mpl scipy.optimize import curve_fit import numpy np #data f1=[735.0,696.0,690.0,683.0,680.0,678.0,679.0,675.0,671.0,669.0,668.0,664.0,664.0] t1=[1,90000.0,178200.0,421200.0,505800.0,592200.0,768600.0,1036800.0,1371600.0,1630800.0,1715400.0,2345400.0,2409012.0] f1n=np.array(f1) t1n=np.array(t1) plt.plot(t1,f1,'ro',label="original data") # curvefit def func(t,a,b): return a+b*np.log(t) t=np.linspace(0,3600*24*28,13) popt, pcov = curve_fit(func, t, f1n, maxfev=1000) plt.plot(t, func(t, *popt), label="fitted curve") plt.legend(loc='upper left') plt.show() your original data t1 , f1 . therefore curve_fit should given t1 second argument, not t . popt, pcov = curve_fit(func,...
Read more

binding - How can you make the color of elements of a WPF DrawingImage dynamic? -

-
we have need make vector graphic images change color of elements within graphic @ runtime. seem setting colors based on either static or dynamic resource values wouldn't work. want have multiple versions of same graphic, each abilty set graphic elements (path, line, etc) different colors don't think dynamic resource approach work. leaves data binding seems right approach. update graphic use data binding expr instead of hard-coded brush color so: <drawingimage x:key="graphic1"> <drawingimage.drawing> <drawinggroup> <drawinggroup.children> <geometrydrawing geometry="f1 m 8.4073,23.9233l"> <geometrydrawing.pen> <pen linejoin="round" brush="{binding line1brush, mode=oneway}"/> </geometrydrawing.pen> </geometrydrawing> <geometrydrawing geometry="f1 m 3.6875,2.56251l"> <geometrydrawing....
Read more

c# - How to add a new treeview at the selected node? -

-
i have treeview 4 levels; parent, child, grandchild, great-grandchild. selectednode @ grandchild level. what i'm trying create new "treeview" @ grandchild - no, dont wnat create new node "selectednode" (grandchild). should somelike this: parent child grandchild (new treeview) parent grandchild great-grandchild child great-grandchild child grandchild grandchild it similar parent table mother , father went off , had new childern different spouse other spouse of there existing children. private sub populaterootlevel() ' query find first round of parent populatenodes(dt, jcatreeview.nodes) end sub private sub populatenodes(byval dt datatable, byval nodes treenodecollection) each dr datarow in dt.rows dim tn new treenode() tn.text = dr("title").tostring()...
Read more