Using user supplied string String#include?

T

Tobi Reif

Hi

In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:

some_str.downcase.include?(user_supplied_str.downcase)

Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?

Should I increase $SAFE, use #taint, and filter out dangerous
characters?

Tobi
 
J

Jano Svitok

Hi

In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:

some_str.downcase.include?(user_supplied_str.downcase)

Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?
Click to expand...

No. Here it's perfectly safe - you have to call eval to evaluate #{},
`` etc. Other dangerous actions might be "send", "class_eval", ... but
here you are not using any of them.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

String Matching 4
I need help in understanding these files on my phone, Could someone help me understand these files? Urgent help needed. Please help. 1
Web User Controls in Repeaters with DataList 0
decode unicode string using 'unicode_escape' codecs 2
Need help in comparing the string words in two arrays. 5
I want unsigned char * string literals 43
Calling a method within qq'ed string 2
401 error accessing web service using credentials 1

Staff online

Members online

Total: 40 (members: 2, guests: 38)
Robots: 362

Forum statistics

Threads
473,767
Messages
2,569,571
Members
45,045
Latest member
DRCM

Latest Threads

Top