September
20th,
2006
In_place_edit_for with validation and sanitization
I've started having a look at my little rails app. I'm writing with a security persons hat on and one of the problems I've run into is that you can't by default use the h() function with an in place edit control. So this link has a solution for that...
One quirk seemed to be when I put in the XSS code </span><script>alert("xss")</script><span> using in_place_edit it escapes it ok, but then each time I click into the field and then click ok it re-escapces the contents, giving an ever expanding field...
still main thing is it gets rid of the xss problem (well from a security point of view anyway)