[Rails] Re: Best Practices: Escaping text on input or output?

Ben Munat bent at munat.com
Wed Feb 1 00:18:33 GMT 2006 

I have been gradually working my way around to the opinion that the application 
architecture as layer cake is a flawed model. Rather my new paradigm states that the 
application code -- the *model* -- is the defensive core and *all* approaches must be 
throroughly guarded: including data from the db.

Historically this is a reasonable position simply because there's always someone with 
command-line access to the db. I have seem plenty of situations where bad data caused an 
error... and the client didn't give a damn that it was his data that caused the error. 
More recently, web services have created another route into the app that avoids the UI 
layer. And -- despite DHH's claim to using "application" dbs over "integration" dbs -- it 
is extremely likely that someday the powers that be will want another app to talk to the 
same db.

If you simply write your model with the assumption that any data that is handed to it is 
suspect, then you're way ahead of the game. It's a bit more work but it makes for a more 
robust, long-lived system.

This is a somewhat tangential to the original point, but it's applicability is this: just 
put your data into the database as plain as possible and do all necessary checking, 
validating and converting in the application (validation in the model and converting in 
the view, since each view (and I use that term generically: a "view" could be an html 
page, a pdf, a word doc, an email, an xml file, another app's input, etc.) knows best how 
it wants to see the data.

Of course, I haven't yet applied this as rigorously as I would like... all in good time. :-)

b

Joe wrote:
> Kevin Olbrich wrote:
> 
>>Am I missing something here?
>>So, for all you web application development professionals out 
>>there....why escape text on output and not on input?
> 
> 
> Because Rails' standard methods handle input escaping automatically. As 
> for output, you only need to worry about values that could contain 
> malicious code (like XSS), so use h() and/or sanitize().
> 
> Joe
>

More information about the Rails mailing list