Tuesday, July 31, 2007

sanitizing Rails input parameters

I really like how Tapestry automagically escapes HTML input when posted from a form. In fact, it was just great never having to worry about that when coding. I'd like to have the same functionality in Rails especially after reading about Rails XSS vulnerabilities and work-arounds. Since the webapp I'm writing has no requirements for allowing formatted user input, I just need something simple to clean/sanitize all the params. Here's the latest:

#escapes all HTML from the given hash's values (recursively applied as needed)
def sanitize(hash)
dirty_hash = hash

dirty_hash.keys.each do |key|
value = dirty_hash[key]

if(value.kind_of?Hash)
dirty_hash[key] = sanitize(value)
else
if (value && value.kind_of?(String))
dirty_hash[key] = CGI.escapeHTML(value)
end
end
end

hash = dirty_hash
end

This is then invoked by a before_filter. Seems to do the job, is there a better/cleaner/faster way of doing this? Let me know how it could be improved...

Wednesday, July 11, 2007

Ruby: constant time for include?

Sure would be nice if the Ruby docs (including this book) would provide more details to the implementation of the Set class. According to this, Set implements its backing collection with a Hash, which would essentially mean that it's synonymous (to some degree) with Java's HashSet. Thus providing a constant time lookup when Set#include? is invoked. Just for grins I benchmarked this in irb with a million Fixnums and was pleased with the 15 microsecond lookups. I looked at the source of both and found a fair amount of similarity.