Securing a rails app, blog comments?

Rails
1

I have my working blog that uses comments and works very well, now im
focusing on the securirty so which is the best way to secure the
comments of the people in your app to avoid malicious code be included?

Im only using the h() function when displaying it on the admin zone(so
the admin session its valid) but i dont know if thats enough or im
missing something.

2

Im only using the h() function when displaying it on the admin zone(so
the admin session its valid) but i dont know if thats enough or im
missing something.

  1. Protect against SQL injection by using bind variables in your code.
  2. When you populate your model object from form use attr_protected to
    prevent malicious users from accessing fields that are not intended for
    users to populate (like approved, paid field etc)
  3. Always check the id parameter to make sure that id parameter belongs
    to
    that user to avoid exposing records that belongs to other users.
  4. Protect all methods that are not supposed to be invoked from the URL
    by
    using protected or private key word for those methods.
  5. Don’t run ftp server or echo server on your production machine.
  6. Use https protocol for sensitive data
  7. Don’t cache authenticated pages.
3

On 10/25/06, Joselo [email protected] wrote:

Posted via http://www.ruby-forum.com/.

You are correct - h() is not enough. Check out the excellent
White-listing plugin by Rick O. at
http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails.

Hope this helps,
Zack