T
Tobi Reif
Hi
In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:
some_str.downcase.include?(user_supplied_str.downcase)
Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?
Should I increase $SAFE, use #taint, and filter out dangerous
characters?
Tobi
In a web app that will soon be out there in the vast and partially
evil web, I might take a string which a user supplied via an HTML
form, and use it roughly like this:
some_str.downcase.include?(user_supplied_str.downcase)
Would this be dangerous? Could the visitor smuggle in stuff like
backticks or #{}?
Should I increase $SAFE, use #taint, and filter out dangerous
characters?
Tobi