Home arrow Ruby-on-Rails arrow Page 2 - Protecting Your Rails Ecommerce Application

Protecting Your Rails Ecommerce Application

In this conclusion to a four-part series covering security for a Ruby on Rails ecommerce application, you'll learn how to protect the application against SQL injection, cross-site request forgery, and more. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 3
June 24, 2010
  1. · Protecting Your Rails Ecommerce Application
  2. · Protecting Your Application
  3. · URL and Form Manipulation
  4. · SQL Injection
  5. · Cross-Site Request Forgery

print this article

Protecting Your Rails Ecommerce Application - Protecting Your Application
(Page 2 of 5 )

Web applications are vulnerable to many exploits, and no framework can make up for a sloppy developer building an application that is easy to hack. In this section, we will review some of the most common exploits and show you how to use Rails to protect your application against them.

Cross-Site Scripting

If you let your users provide content on the site, you must consider that someone may try to enter some malicious content, often in form of JavaScript. Therefore, you should never output anything generated by users directly in the browser. Rails has a shortcut method h (alias forhtml_escape), which escapes all the output run through it:

<%= h @user.first_name %>

For example, iffirst_nameis>George<, the output ofhwill be &gt;George&lt;. That way, a user cannot enter HTML tags or JavaScript and get it parsed by the browser.

If you want to allow the user to store some safe HTML, you can also run the output through thesanitize helper, which strips all form tags, script tags, andonXXX(such asonclick) attributes from tags to prevent running arbitrary JavaScript on the page.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials