Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Ruby > h() or html_escape() not escape the single quote... risky?

Reply
Thread Tools

h() or html_escape() not escape the single quote... risky?

 
 
SpringFlowers AutumnMoon
Guest
Posts: n/a
 
      09-27-2008
so h() is an alias for html_escape() and they convert the following 4
characters

< > & "

into

&lt; &gt; &amp; &quot;

the single quote is not converted...

I just wonder sometimes we happen to write code such as

<input type='hidden' value='<%= h(user_comment %>'>

and it can cause an cross-site scripting (XSS) attack?

we usually use double quote but sometimes we use single quote like
somebody can write

puts "<input type='hidden' value='" + h(user_comment %> + "'>"

(sorry i have used PHP for quite some time and so by Ruby is rusty...)
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Andreas S.
Guest
Posts: n/a
 
      09-27-2008
This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.

SpringFlowers AutumnMoon wrote:
> the single quote is not converted...
>
> I just wonder sometimes we happen to write code such as
>
> <input type='hidden' value='<%= h(user_comment %>'>


Just don't, it's not correct HTML.
--
Posted via http://www.ruby-forum.com/.

 
Reply With Quote
 
 
 
 
Nobuyoshi Nakada
Guest
Posts: n/a
 
      09-27-2008
Hi,

At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
> the single quote is not converted...


I guess that is because the character entity reference of
single quote isn't defined in HTML.

> we usually use double quote but sometimes we use single quote like
> somebody can write
>
> puts "<input type='hidden' value='" + h(user_comment %> + "'>"
>


You can use other delimiters than double quote and single quote.

puts %[<input type="hidden" value="#{h(user_comment)}">]

or heredoc.

puts <<HIDDEN
<input type="hidden" value="#{h(user_comment)}">
HIDDEN

Heredocs include the last newline, but no differences to use
with #puts.

--
Nobu Nakada

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to escape single quotes inside fields but not the ones aroundfields? Henry J. Perl Misc 16 10-08-2008 04:10 PM
How to read strings cantaining escape character from a file and useit as escape sequences? slomo Python 5 12-02-2007 11:39 AM
escape single and double quotes Leif B. Kristensen Python 7 03-24-2005 11:02 PM
Escape From NY SE - Single Layer Discs Gram DVD Video 13 12-22-2003 08:09 AM
single/double quote escape interpolation Simon Bunker Python 2 07-08-2003 02:15 AM



Advertisments