跨站脚本攻击XSS(Cross-Site Scripting)
"<p>safe</p>".html_safe
# or
raw("<p>safe</p>")
跨站伪造请求CSRF(Cross-site request forgery)
controller protect_from_forgery 对表单post提交
layout csrf_meta_tags 用于JavaScript提取验证码
SQL injection注入攻击
Project.where( { :name => params[:name] } ) # or Project.where( ["name = ?", params[:name] ] )
大量赋值(Mass assignment)
attr_protected黑名单
#or
attr_accessible白名单
Symbolize
if params[:category].to_sym == :first # 此例直接比较字串即可 params[:category] == "first"
# do something
end
不受限的资讯查询
设置权限
#or
@order = current_user.orders.find(params[:id])
敏感资讯处理
config/application.rb设定
config.filter_parameters << :password