sanitize() AND escapeHTML()/h() ?

Hi there,

is it correct that one should always use both...

  1.
sanitize(params[:whatever_external_or_user_input_to_save_to_database]),
AND
  2. h(@whatever_database_record_to_display_on_page)

...in order to have the highest security level? (Besides all the other
security stuff to do, of course)

Thanks a lot!
Tom

Tom Ha wrote:

Hi there,

is it correct that one should always use both...

  1.
sanitize(params[:whatever_external_or_user_input_to_save_to_database]),
AND
  2. h(@whatever_database_record_to_display_on_page)

...in order to have the highest security level?

AFAIK, sanitize should not be necessary -- ActiveRecord uses
parameterized queries, which already protect against SQL injection
without further sanitization. (If you write your own SQL, your queries
should also be parameterized.). h, on the other hand, is not about
security so much as it is about keeping markup valid and correct. You
should definitely use it on anything that comes from the DB, unless
you're deliberately storing HTML code in there.

BTW, if you use Haml (highly recommended), it has a very useful
shorthand construct for this (&= instead of h), and you can even turn on
HTML escaping as a global default.

Best,

Great, thanks a lot!