Re: [Rails] Re: How to render a text file without changing its formatting?

Ruby on Rails Thursday, July 26, 2012

On 26 July 2012 21:21, Robert Walker <lists@ruby-forum.com> wrote:
> lalalalala pqpqpqpqpq wrote in post #1070310:
>>> But which, to the OP's point, won't be done if the content is wrapped
>>> in a PRE element...
>> nevermind, this worked. thanks a lot.
>
> Keep in mind that, unless you have complete control over the content of
> that text file, this solution could be very dangerous from a security
> perspective. For instance if you're getting that file from an end user
> through some sort of file upload you better make sure you sanitize it
> before sending it back to the browser to be rendered.
>
> That's what we would call "user provided data" and you should never
> trust user provided data.

Will html not automatically be escaped (assuming this is on Rails 3)
as the string will not be marked html safe? If not on 3 then
certainly it must be sanitised.

Colin

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Posted by Ruby on Rails at 1:32 PM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)