by the way, sanitize and strip_tags work as follows:
<div id="divForS"></div>
<div id="divForT"></div>
<script type="text/javascript">
var v = 1;
var s = <%= sanitize(@s).to_json %>;
var t = <%= strip_tags(@s).to_json %>;
document.getElementById('divForS').innerHTML = s + v;
document.getElementById('divForT').innerHTML = t + v;
</script>
the HTML generated is:
var s = "Bill Gates's dog said \"whoof whoof\" and \n
\074b\076ran\074/b\076 <script\076 alert('hi');v=2; </script\076
away.";
var t = "Bill Gates's dog said \"whoof whoof\" and \n ran
alert('hi');v=2; away.";
and the web browser shows it as on the screen:
Bill Gates's dog said "whoof whoof" and ran <script> alert('hi');v=2;
</script> away.1
Bill Gates's dog said "whoof whoof" and ran alert('hi');v=2; away.1
one thing i don't understand is that if i remove the sanitize function,
the alert will not get called, and v won't be set to 2, so the line for
innerHTML = t + v will still show v as 1. I thought the script part
will get executed? Or is it a rule that it won't be executed and in
that case, we don't need to use h, sanitize, or strip_tags to prevent
cross-site scripting (XSS) if we set the value into innerHTML? So in
that case, s.to_json is good enough? (unless if some browser actually
execute them, and make XSS possible). thanks.
--
Posted via http://www.ruby-forum.com/.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby
on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---
