ruby-on-rails - 允许用户输入代码示例的最不危险的方法是什么？

Question

我正在实现一个 Rails 应用程序，用户可以在其中存储代码片段以供日后引用。我打算使用 Markdown 进行文本输入，并且可能会使用 wmd markdown editor . (正是 Stackoverflow 使用的那个。)

我有点担心人们在编辑框中输入代码的想法。据我所知，输入 SQL 可能会搞砸我的数据库，或者输入 JavaScript 可能会稍后运行并造成恶作剧。

通常情况下，Rails 具有防止这种情况发生的功能，但我是否处于特殊情况，因为我的用户会被鼓励输入代码片段？

我应该注意哪些额外的预防措施？

Answer 1

只需清理您的数据库条目即可。 Rails 现在默认这样做。您只需要正确使用框架即可。查看此以获取更多信息:http://wiki.rubyonrails.org/howtos/security/sql_injection

这样做:

Project.find(:all, :conditions => ["name = ?", params[:name]])
# or
Project.find(:all, :conditions => {:name => params[:name]})

不是这个:

Project.find(:all, :conditions => "name = '#{params[:name]}'")

你还必须通过以下方式防止 XSS 攻击

<%=h possible_harmful_text %>

供引用:

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits. Cross-site scripting carried out on websites were roughly 80% of all documented security vulnerabilities as of 2007. Often during an attack "everything looks fine" to the end-user who may be subject to unauthorized access, theft of sensitive data, and financial loss. (via wikipedia)

当然

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another. SQL injection attacks are also known as SQL insertion attacks.1 (via wikipedia)