I'm using Rails 3. When a user submits a form with a text_field and has & entered in it, the form gets validated. When it isn't valid, Rails returns an error, which I then show to the user. But now the & is translated to & . How can I change this behaviour? Thanks.
I found the culprit. I was sending my input to a sanitizer method, which replaced all ampersands by &.
Maybe try "risky string".html_safe
Related
I am trying to get a parameter T&T to api by angular .from angular T&T sending as a parameter but .net core api site it is divided and T only taking as parameter .Could you please anyone tell me how to pack T&T as a parameter
Using the & in the query string, we could add multiple parameters. If you want to send a parameter value which contains the & character, you have to Encode the it using the encodeURIComponent() function, then the & character will be changed to %26. More detail information, see HTML URL Encoding Reference
So, try to replace the & to %26.
The screenshot as below:
I have an application that collect user input and store to DB and show back to user.
One user entered "alert(1)" into the name field and saved it into DB.
Whenever the name is displayed, the page will be broken.
I know how to fix that input only with validation for input, and h() for output.
However, I have so many input fields and so many outputs that accept users' text.
Is there any simple way to prevent this happening(i.e. overriding params method, etc)?
I also want to know how you expert guys are dealing with this problem?
As of Rails 3, my understanding was that embedded ruby code was html escaped by default. You don't need to use h() to make it that way. That is, if you use <%= "<script>a=1/0;</script>" %> in a view, the string is going to be made html safe, and so the script doesn't execute. You would have to specifically use raw() or something similar to avoid it - which you should naturally not do unless you're really confident about the contents.
For output, Rails 3 automatically html-encode all text unless I use raw() method.
For input, How about making a common validator and apply to all fields that are text or string? Is it desirable?
http://api.rubyonrails.org/classes/ActiveModel/Validator.html
class MyValidator < ActiveModel::Validator
def validate(record)
record.class.columns.each do |c|
if c.type==:text || c.type == :string
record.errors.add c.type, "script tag is not allowed" if c[/<script[^>]*>/]
end
end
end
end
I have a rails app and when I have both the console and db:console open, they have different values for what is supposed to be the same field. I am using the send function to change the value. Here is the method in the model:
def toggle_approve(field)
self.send(field)
if(self.send(field).blank?)
self.send(field + '=', "new_value")
puts self.send(field)
else
self.send(req + '=', "")
end
rank.save
end
In my db:console (sqllite) everything is always correct, but in my regular erb console it is wrong. My view will then show what is in the erb console and not the sqllite. I dont understand what is going on in the background that would causing this issue. Any help would be great.
It's hard to be sure from the details you provided, but I think it is the case that your view uses an obsolete version of the data. Try calling .reload on the updated record, just at the point after the update and before presentation. See if that fixes your problem.
Whenever I get the .val() of input box with javascript, everything after and including the < character is not included. So if I put "hello<yo" i receive hello.
So a user typing '<' anywhere in the textbox will either submit a false input he didn't want, or receive the wrong error message
(i.e. if he inputs "<hello", it will say it's blank)
This seems to be fine in javascript alone. But I am getting the val() from javascript and then in ajax i am sending it to a php URl as a query string and validating it there on the php.
Any ideas?
Thank you.
EDIT: MY bad i didnt know there was a striptag() function being called in php
Instead of entering < try entering <.
I'm building an app on Rails 3 RC. I understand the point behind the _snowman param (http://railssnowman.info/)...however, I have a search form which makes a GET request to the index. Therefore, submitting the form is creating the following query string:
?_snowman=☃&search=Box
I don't know that supporting UTF encoding is as important as a clean query string for this particular form. (Perhaps I'm just too much of a perfectionist...hehe) Is there some way to remove the _snowman param for just this form? I'd rather not convert the form to a POST request to hide the snowman, but I'd also prefer it not be in my query string. Any thoughts?
You can avoid the snowman (now a checkmark) in Rails 3 by.... not using Rails for the search form. Instead of using form_tag, write your own as outlined in:
Rails 3 UTF-8 query string showing up in URL?
Rails helpers are great unless they're not helping. Do-it-yourself is good as long as you understand the consequences, and are willing to maintain it in the future.
I believe the snowman has to be sent over the wire to ensure your data is being encoded properly, which means you can't really remove the snowman input from forms. Since, it's being sent in your GET request, it will have to be appended to the URL.
I suppose you could write some javascript to clean up the URL once the search page loads, or you could setup a redirect to the equivalent URL minus the snowman. Both options don't really feel right to me.
Also, it doesn't seem there is any way to configure Rails to not output it. If you really wanted to get rid of it, you could comment out those lines in Rails' source (the committed patches at the bottom of railssnowman.info should lead you to the files and line numbers). This adds some maintenance chores for you when you upgrade Rails. Perhaps you can submit a patch to be able to turn this off?
EDIT: Looks like they just switched it to what looks like a checkmark instead of a snowman.
EDIT: Oops, back to a snowman.
In Rails 4.1 you can use the option :enforce_utf8 => false to disable utf8 input tag.
However I want to use this in Rails 3, so I monkey-patched my Rails. I put the following in the config/initializers directory.
# allow removing utf8 using enforce_utf8, remove after Rails 4.1
module ActionView
module Helpers
module FormTagHelper
def extra_tags_for_form(html_options)
authenticity_token = html_options.delete("authenticity_token")
method = html_options.delete("method").to_s
method_tag = case method
when /^get$/i # must be case-insensitive, but can't use downcase as might be nil
html_options["method"] = "get"
''
when /^post$/i, "", nil
html_options["method"] = "post"
token_tag(authenticity_token)
else
html_options["method"] = "post"
tag(:input, :type => "hidden", :name => "_method", :value => method) + token_tag(authenticity_token)
end
enforce_utf8 = html_options.delete("enforce_utf8") { true }
tags = (enforce_utf8 ? utf8_enforcer_tag : ''.html_safe) << method_tag
content_tag(:div, tags, :style => 'margin:0;padding:0;display:inline')
end
end
end
end