Jano Svitok
9/17/2007 7:48:00 PM
On 9/17/07, Tobi Reif <tobiasreif@pinkjuice.com> wrote:
> Hi
>
> In a web app that will soon be out there in the vast and partially
> evil web, I might take a string which a user supplied via an HTML
> form, and use it roughly like this:
>
> some_str.downcase.include?(user_supplied_str.downcase)
>
> Would this be dangerous? Could the visitor smuggle in stuff like
> backticks or #{}?
No. Here it's perfectly safe - you have to call eval to evaluate #{},
`` etc. Other dangerous actions might be "send", "class_eval", ... but
here you are not using any of them.