堆栈内存溢出
  简体   繁体   English

在我的情况下,我可以/应该做些什么来关心安全性?

[英]What could/should I do to care about security in my case?

 原文  2012-01-12 00:23:16       ruby-on-rails/ ruby/ ruby-on-rails-3/ security/ internationalization

问题描述

I am using Ruby on Rails 3.1.0 and I would like to focus on security on using the I18n gem for internationalization purposes. 我正在使用Ruby on Rails 3.1.0,我想关注使用I18n gem进行国际化的安全性。

At this time I have: 这时我有: 

# in .yml file
key_1_html: "%{var_1} is just a test"

# in view, controller and model files
I18n.t('key_1_html', :var_1 => 'Test variable')

The Test variable is/represent an input from users so I should consider that as a potential hacking. Test variable是/表示来自用户的输入,因此我应该将其视为潜在的黑客行为。

What could/should I do to care about security in my case? 在我的情况下,我可以/应该做些什么来关心安全性?

1 个解决方案

解决方案1
 0 已采纳  2012-01-12 01:00:28

Under normal Rails (3.x) usage, you don't have to do anything. 在正常的Rails(3.x)使用​​情况下,您无需执行任何操作。

Even if some HTML code or javascript gets into the string returned from i18n, if you are outputting strings returned from i18n in ordinary ways, any HTML in them (whether from the template or the variable) will be escaped and show up as literal source in the webpage. 即使某些HTML代码或javascript进入从i18n返回的字符串,如果您正在输出以常规方式从i18n返回的字符串,其中的任何HTML(无论是来自模板还是变量)都将被转义并显示为文字来源网页。

You'd have to manually mark a string returned by i18n as .html_safe to get it to be delivered as html source. 您必须手动将i18n返回的字符串标记为.html_safe,以使其作为html源传递。

So don't do that. 所以不要这样做。

Try it yourself, and see. 亲自尝试,看看。 

I18n.t('key_1_html', :var_1 => '/<script>danger!</script>')

Now output that in an ERB template, see what happens. 现在在ERB模板中输出,看看会发生什么。

If you're doing something odd with i18n other than outputting it through typical Rails templates to the browser, then you'll need to say what, and what your concern is. 如果您正在使用i18n做一些奇怪的事情而不是通过典型的Rails模板将其输出到浏览器,那么您需要说出什么,以及您关注的是什么。

I think maybe this guide is what you're looking for, for an overview of Rails security issues: 我想也许本指南正是您所需要的,有关Rails安全问题的概述:

http://guides.rubyonrails.org/security.html http://guides.rubyonrails.org/security.html

See Section 8 on "Injection". 参见第8节“注射”。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我应该关心Newrelic Rails应用程序中的DOM处理时间吗? - Should I care about the DOM processing time in Newrelic Rails app? 生成HTML时我是否需要关心缩进? - Do I have to care about indent when HTML is generated? 滑轨,滚动自己的身份验证系统,我应该考虑哪些安全问题? - rails, rolling my own authentication system, what are security issues I should be taking into consideration? 如果我的Rails测试不通过怎么办? - What should I do if my Rails tests don't pass? 在部署 Rails 应用程序之前,我应该检查哪些安全措施? - What are all the security measures I should check over before deploying my Rails application? Ruby 中的这个 Map 不关心我的 if 语句 - This Map in Ruby doesn't care about my if statement 如果我正在加载生产环境变量,为什么 Rails 会关心我在 database.yml 中的“开发”环境? - Why does rails care about my "development' environment in database.yml if I'm loading with production environment variable? 我对扩展控制器所做的更改不适用于该应用程序。 那是什么意思 - Changes I make to my extension controllers do not apply in the application. What's that about? 关于我的heroku rails app上的unicorn :: clientshutdown错误,我该怎么办? - What can I do about unicorn::clientshutdown errors on my heroku rails app? 我的 Rails 查询开始变得复杂,我应该切换到原始 SQL 查询吗? 你做什么工作? - My Rails queries are starting to get complicated, should I switch to raw SQL queries? What do you do?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM