h() or html_escape() not escape the single quote... risky?

Discussion in 'Ruby' started by SpringFlowers AutumnMoon, Sep 27, 2008.

  1. so h() is an alias for html_escape() and they convert the following 4
    characters

    < > & "

    into

    &lt; &gt; &amp; &quot;

    the single quote is not converted...

    I just wonder sometimes we happen to write code such as

    <input type='hidden' value='<%= h(user_comment %>'>

    and it can cause an cross-site scripting (XSS) attack?

    we usually use double quote but sometimes we use single quote like
    somebody can write

    puts "<input type='hidden' value='" + h(user_comment %> + "'>"

    (sorry i have used PHP for quite some time and so by Ruby is rusty...)
    --
    Posted via http://www.ruby-forum.com/.
    SpringFlowers AutumnMoon, Sep 27, 2008
    #1
    1. Advertising

  2. SpringFlowers AutumnMoon

    Andreas S. Guest

    This is a Rails question. Please ask Rails questions in a Rails forum,
    not on the Ruby mailing list.

    SpringFlowers AutumnMoon wrote:
    > the single quote is not converted...
    >
    > I just wonder sometimes we happen to write code such as
    >
    > <input type='hidden' value='<%= h(user_comment %>'>


    Just don't, it's not correct HTML.
    --
    Posted via http://www.ruby-forum.com/.
    Andreas S., Sep 27, 2008
    #2
    1. Advertising

  3. Hi,

    At Sun, 28 Sep 2008 04:28:45 +0900,
    SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
    > the single quote is not converted...


    I guess that is because the character entity reference of
    single quote isn't defined in HTML.

    > we usually use double quote but sometimes we use single quote like
    > somebody can write
    >
    > puts "<input type='hidden' value='" + h(user_comment %> + "'>"
    >


    You can use other delimiters than double quote and single quote.

    puts %[<input type="hidden" value="#{h(user_comment)}">]

    or heredoc.

    puts <<HIDDEN
    <input type="hidden" value="#{h(user_comment)}">
    HIDDEN

    Heredocs include the last newline, but no differences to use
    with #puts.

    --
    Nobu Nakada
    Nobuyoshi Nakada, Sep 27, 2008
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    3
    Views:
    13,136
  2. Eric Layman
    Replies:
    3
    Views:
    612
    Rad [Visual C# MVP]
    Apr 14, 2007
  3. Evan
    Replies:
    1
    Views:
    380
    Marc 'BlackJack' Rintsch
    Nov 4, 2008
  4. Evan
    Replies:
    3
    Views:
    505
    Marc 'BlackJack' Rintsch
    Nov 4, 2008
  5. vikrant
    Replies:
    8
    Views:
    341
    vikrant
    May 17, 2007
Loading...

Share This Page