Paul Lynch wrote in post #1121214:
> If, in your view, you are expecting params[:name] to be a string, but
> actually rails has parsed it into {"."=>"1234"} (or something more
> malicious), then currently
> <%= sanitize(params[:name]) %> blows up because the hash does not
> respond
> the expected methods from the sanitize call.
>
> I could put in code to check that the params values I am sanitizing are
> strings, but it seems like it would be better for sanitize to handle
> that,
> and perhaps just return the empty string if the processing of the input
> raises an exception.
Hum. It seems to me that "blowing up" is the right thing to do in this
scenario. More precisely an exception should be raised indicating a
programmer mistake of passing an illegal argument to a method expecting
a string.
--
Posted via http://www.ruby-forum.com/.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/c54d51850e1948568b77874beb9f21e1%40ruby-forum.com.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment