Thursday, June 19, 2008

Cross Site Scripting (XSS)

For now here’s what you need to do. When you see something like this:
<%= @asset.description %>
Make sure you that you consider it a potential for XSS code execution
and simply fix it like so:
<%= h(@asset.description) %>

Tainting or (http://code.google.com/p/xss-shield)
XSS Shield protects your views against cross-site scripting attacks without error-prone manual escaping with h().

Instead of:

<%= h(item.name) %>


<%= link_to "#{h(item.first_name)}'s stuff", :action => :view, :id => item %>



You will be able to write:

<%= item.name %>


<%= link_to "#{item.first_name}'s stuff", :action => :view, :id => item %>



and all your views will be automatically protected. Protection works by tagging strings you trust - which are only those escaped by h(), generated by trusted helpers (like link_to, text_area, will_paginate etc.), or explicitly marked as trusted by you. If untrusted string is to be displayed in a template it is h-escaped first.

XSS Shield supports RHTML and HAML.

To install the plugin run:

./script/plugin install -x http://xss-shield.googlecode.com/svn/trunk/xss-shield/


Referred from google and peepcode
Posted by at No comments:

Sunday, May 18, 2008

Print Page functionality

Generate HTML code that includes two stylesheets. One for screen and another one for Print.
or say like below

style .............. /style
style media="print" ........ /style

body{
font-family:serif
}
.new-next, .new-print-btn{
display:none;
}
a:after { content:' [' attr(href) '] '}

The first style is for "Screen" (by default if do not specify one..)

Things to be noted in "Print"

Fonts should be serif (not sans-serif) for printing
Hide images as much as possible
Hide ads
Hide navigational elements
Use a black-on-white colour scheme
Underline links if any
Add the actual URL to your links (see below)
To add the actual URL in the href-part of your link to the name of your link add the following to you print stylesheet:

[css]a:after { content:’ [' attr(href) '] ‘}[/css]

Final thing add "javascript:print()" to the button

input type="button" value="Print" onclick = "javascript:print()"

[Ref: http://ariejan.net/2007/01/19/print-this-page-with-ruby-on-rails/ ]
Posted by at No comments:

Thursday, March 27, 2008

Removing Stale Rails Sessions

By default rails does not clear out stale sessions from the session store. To implement this feature I added the following small snippet of code;

class SessionCleaner
def self.remove_stale_sessions
CGI::Session::ActiveRecordStore::Session.
"destroy_all( ['updated_on end
end
And then invoke the remove_stale_sessions method every 10 minutes via;

Reference: http://www.realityforge.org/articles/2006/03/01/removing-stale-rails-sessions
Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)