Curtis Summers
1/22/2007 3:24:00 PM
> But I then realized that was a major security hole. It allows an attacker
> to post stuff like:
> <input name="blog[connection.drop_database.something]"
> By the time the recursive send fails on "something=", the database has
> already been wiped. Well, this example doesn't really work (drop_database
> requires an argument), but you get the idea.
Well, if you are going to send an unescaped, form submitted value to
rsend, then, yes, that would be a security hole. But that's kind of
like saying you're going to allow an unescaped, client submitted value
to eval--which would be silly.
My usage of this is more along the lines of:
RoR controller w/ several actions that will render the same view. The
date that I want to show in that view might be one of several choices
of variable method depth depending on the action being rendered. So,
in each action I set the appropriate method call chain to pass to
rsend, and then use that variable in the view.
Here's a contrived example:
#controller
def action1
@posts.find(:all, :include => :comments)
@use_this_date = [:posted_at]
render :template => 'posts/list'
end
def action2
@posts.find(:all, :include => :comments)
@use_this_date = [:comments, :first, :commented_at]
render :template => 'posts/list'
end
#view
<% @posts.each do |post| %>
<%= h post.title %>,
<%= h post.rsend(*@use_this_date) %>
<% end %>