sanitize() AND escapeHTML()/h() ?

Hi there,

is it correct that one should always use both...

  1. sanitize(params[:whatever_external_or_user_input_to_save_to_database]), AND   2. h(@whatever_database_record_to_display_on_page)

...in order to have the highest security level? (Besides all the other security stuff to do, of course)

Thanks a lot! Tom

Tom Ha wrote:

Hi there,

is it correct that one should always use both...

  1. sanitize(params[:whatever_external_or_user_input_to_save_to_database]), AND   2. h(@whatever_database_record_to_display_on_page)

...in order to have the highest security level?

AFAIK, sanitize should not be necessary -- ActiveRecord uses parameterized queries, which already protect against SQL injection without further sanitization. (If you write your own SQL, your queries should also be parameterized.). h, on the other hand, is not about security so much as it is about keeping markup valid and correct. You should definitely use it on anything that comes from the DB, unless you're deliberately storing HTML code in there.

BTW, if you use Haml (highly recommended), it has a very useful shorthand construct for this (&= instead of h), and you can even turn on HTML escaping as a global default.

Best,

Great, thanks a lot!