h() or html_escape() not escape the single quote... risky?

  • Thread starter SpringFlowers AutumnMoon
  • Start date
S

SpringFlowers AutumnMoon

so h() is an alias for html_escape() and they convert the following 4
characters

< > & "

into

&lt; &gt; &amp; &quot;

the single quote is not converted...

I just wonder sometimes we happen to write code such as

<input type='hidden' value='<%= h(user_comment %>'>

and it can cause an cross-site scripting (XSS) attack?

we usually use double quote but sometimes we use single quote like
somebody can write

puts "<input type='hidden' value='" + h(user_comment %> + "'>"

(sorry i have used PHP for quite some time and so by Ruby is rusty...)
 
A

Andreas S.

This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.

SpringFlowers said:
the single quote is not converted...

I just wonder sometimes we happen to write code such as

<input type='hidden' value='<%= h(user_comment %>'>

Just don't, it's not correct HTML.
 
N

Nobuyoshi Nakada

Hi,

At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
the single quote is not converted...

I guess that is because the character entity reference of
single quote isn't defined in HTML.
we usually use double quote but sometimes we use single quote like
somebody can write

puts "<input type='hidden' value='" + h(user_comment %> + "'>"

You can use other delimiters than double quote and single quote.

puts %[<input type="hidden" value="#{h(user_comment)}">]

or heredoc.

puts <<HIDDEN
<input type="hidden" value="#{h(user_comment)}">
HIDDEN

Heredocs include the last newline, but no differences to use
with #puts.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

No members online now.

Forum statistics

Threads
473,744
Messages
2,569,482
Members
44,901
Latest member
Noble71S45

Latest Threads

Top