Asp Forum - h() or html_escape() not escape the single quote... risky?

SpringFlowers AutumnMoon

9/27/2008 7:29:00 PM

so h() is an alias for html_escape() and they convert the following 4
characters

< > & "

into

< > & "

the single quote is not converted...

I just wonder sometimes we happen to write code such as

<input type='hidden' value='<%= h(user_comment %>'>

and it can cause an cross-site scripting (XSS) attack?

we usually use double quote but sometimes we use single quote like
somebody can write

puts "<input type='hidden' value='" + h(user_comment %> + "'>"

(sorry i have used PHP for quite some time and so by Ruby is rusty...)
--
Posted via http://www.ruby-....

9 Answers

Andreas S.

9/27/2008 8:23:00 PM

This is a Rails question. Please ask Rails questions in a Rails forum,
not on the Ruby mailing list.

SpringFlowers AutumnMoon wrote:
> the single quote is not converted...
>
> I just wonder sometimes we happen to write code such as
>
> <input type='hidden' value='<%= h(user_comment %>'>

Just don't, it's not correct HTML.
--
Posted via http://www.ruby-....

Nobuyoshi Nakada

9/27/2008 8:33:00 PM

Hi,

At Sun, 28 Sep 2008 04:28:45 +0900,
SpringFlowers AutumnMoon wrote in [ruby-talk:316193]:
> the single quote is not converted...

I guess that is because the character entity reference of
single quote isn't defined in HTML.

> we usually use double quote but sometimes we use single quote like
> somebody can write
>
> puts "<input type='hidden' value='" + h(user_comment %> + "'>"
>

You can use other delimiters than double quote and single quote.

puts %[<input type="hidden" value="#{h(user_comment)}">]

or heredoc.

puts <<HIDDEN
<input type="hidden" value="#{h(user_comment)}">
HIDDEN

Heredocs include the last newline, but no differences to use
with #puts.

--
Nobu Nakada

Free Lunch

2/19/2012 7:50:00 PM

On Sun, 19 Feb 2012 11:36:24 -0800, Jason@nospam.com (Jason) wrote in
alt.talk.creationism:

>In article <dfritzin-F553C4.09384919022012@news.eternal-september.org>,
>David Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
>
>> In article <Jason-1902120050330001@66-53-217-99.lsan.mdsg-pacwest.com>,
>> Jason@nospam.com (Jason) wrote:
>>
>> > In article
>> > <a0887e18-296a-4efd-91ae-4d97894bc73a@k10g2000yqk.googlegroups.com>,
>> > Devils Advocaat <mankygoat7@gmail.com> wrote:
>> >
>> > > On Feb 18, 10:53=A0am, Ja...@nospam.com (Jason) wrote:
>> > > > In article
>> > > > <69bffce8-084d-4366-aaee-05a3aaf1a...@w19g2000vbe.googlegroups.com>,
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > >
>> > > > Devils Advocaat <mankygo...@gmail.com> wrote:
>> > > > > On Feb 18, 9:13=3DA0am, Ja...@nospam.com (Jason) wrote:
>> > > > > > In article
>> > > > > >
><caf2573a-66fa-481c-bb60-096cb9f81...@w4g2000vbc.googlegroups.com>, D=
>> > > evil=3D
>> > > > > s
>> > > >
>> > > > > > Advocaat <mankygo...@gmail.com> wrote:
>> > > > > > > On Feb 17, 8:46=3D3DA0am, Ja...@nospam.com (Jason) wrote:
>> > > > > > > > In article
><Wfi%q.334225$xn3.208...@news.usenetserver.com>, Caran=
>> > > x la=3D
>> > > > > tus
>> > > >
>> > > > > > > > <aug.r...@gmail.com> wrote:
>> > > > > > > > > On 16/02/2012 6:47 PM, Jason wrote:
>> > > > > > > > > > In
>article<dfritzin-A7E816.18210416022...@news.eternal-septem=
>> > > ber.=3D
>> > > > > org>=3D3D
>> > > > > > > ,
>> > > > > > > > > > David Fritzinger<dfrit...@nospamtome.hotmail.com>
>=3D3DA0wrot=
>> > > e:
>> > > >
>> > > > > > > > > >> In article
>> > > > > > > > > >>
><Jason-1602121321500...@67-150-173-128.lsan.mdsg-pacwest.com=
>> > > >,
>> > > > > > > > > >> =3D3DA0 Ja...@nospam.com (Jason) wrote:
>> > > > > > > > > >> [snip]
>> > > > > > > > > >>> Another point--there is not a lot of difference
>between kil=
>> > > ling=3D
>> > > > > =A0a 8=3D3D
>> > > > > > > =3DA0month
>> > > > > > > > > >>> old fetus and a premature baby.
>> > > >
>> > > > > > > > > >> The number of abortions performed in the third
>trimester is =
>> > > vani=3D
>> > > > > shin=3D3D
>> > > > > > > gly
>> > > > > > > > > >> small, and usually to either save the life of the
>mother or =
>> > > beca=3D
>> > > > > use =3D3D
>> > > > > > > the
>> > > > > > > > > >> fetus was massively deformed.
>> > > >
>> > > > > > > > > >>> My major point--abortion is equal to murder.
>> > > >
>> > > > > > > > > >> Not according to the United States government, nor to
>most o=
>> > > f th=3D
>> > > > > e
>> > > > > > > > > >> governments in the world.
>> > > >
>> > > > > > > > > >>> Murder is a violation of God's laws and in most
>cases is a =
>> > > viol=3D
>> > > > > atio=3D3D
>> > > > > > > n of
>> > > > > > > > > >>> mankind's law.
>> > > >
>> > > > > > > > > > Does the Declaration of Independence guarantee
>Americans with=
>> > > the
>> > > > > > > > right to life?
>> > > >
>> > > > > > > > > No, it doesn't.
>> > > >
>> > > > > > > > Yes, it does.
>> > > >
>> > > > > > > Is the Declaration of Independence, part of the legislation of the
>> > > > > > > USA?
>> > > >
>> > > > > > > As far as I am aware, it isn't.
>> > > >
>> > > > > > It's a very important historical document.
>> > > >
>> > > > > Care to answer my question?
>> > > >
>> > > > You are correct.
>> > >
>> > > So what is in the Declaration of Independence has no relevance to
>> > > legislation in the USA.
>> >
>> > It's my point of view that it's more important than any letter that has
>> > been written by a president. As you know, the supreme court case related
>> > to separation of Church And State was based on a letter that was written
>> > by a president.
>>
>> No, it was based on the First Amendment to the Constitution. Do you
>> always have to lie?
>
>Do some research--I am correct. I seem to recall that the letter was
>written by Jefferson. He said something like the church and state should
>be separate in that letter.
>
Jason, you have been wrong every time people disagreed with you. You are
not correct this time either. You are repeating some lies that were
propagated by enemies of the First Amendment, people who want to inflict
their religion on other people.

DanielSan

2/19/2012 10:32:00 PM

On 2/19/2012 11:47 AM, Free Lunch wrote:
> On Sun, 19 Feb 2012 11:38:05 -0800, Jason@nospam.com (Jason) wrote in
> alt.talk.creationism:
>
>> In article<6m32k71i1shvoolnpj644nibem1pprnf71@4ax.com>, Free Lunch
>> <lunch@nofreelunch.us> wrote:
>>
>>> On Sun, 19 Feb 2012 00:50:33 -0800, Jason@nospam.com (Jason) wrote in
>>> alt.talk.creationism:
>>>
>>>> In article
>>>> <a0887e18-296a-4efd-91ae-4d97894bc73a@k10g2000yqk.googlegroups.com>,
>>>> Devils Advocaat<mankygoat7@gmail.com> wrote:
>>>>
>>>>> On Feb 18, 10:53=A0am, Ja...@nospam.com (Jason) wrote:
>>> ...
>>>>>>>>> Is the Declaration of Independence, part of the legislation of the
>>>>>>>>> USA?
>>>>>>
>>>>>>>>> As far as I am aware, it isn't.
>>>>>>
>>>>>>>> It's a very important historical document.
>>>>>>
>>>>>>> Care to answer my question?
>>>>>>
>>>>>> You are correct.
>>>>>
>>>>> So what is in the Declaration of Independence has no relevance to
>>>>> legislation in the USA.
>>>>
>>>> It's my point of view that it's more important than any letter that has
>>>> been written by a president. As you know, the supreme court case related
>>>> to separation of Church And State was based on a letter that was written
>>>> by a president.
>>>>
>>> No, it was not. It was based on the Constitution.
>>
>> It was mainly based on a letter that was written by Jefferson.
>>
> No, it was not. You really are pathetically ignorant. That would not be
> so bad if you weren't so proud of how little you know.
>
> Why do you worship ignorance?

It's easier and doesn't take as much time and energy as knowledge?

David Fritzinger

2/20/2012 11:47:00 AM

In article <Jason-1902122338350001@66.53.221.239>,
Jason@nospam.com (Jason) wrote:

> In article <dfritzin-C683E1.14400519022012@news.eternal-september.org>,
> David Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
>
> > In article
> > <Jason-1902121136250001@67-150-171-59.lsan.mdsg-pacwest.com>,
> > Jason@nospam.com (Jason) wrote:
> >
> > > In article <dfritzin-F553C4.09384919022012@news.eternal-september.org>,
> > > David Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
[snip]
> > > > No, it was based on the First Amendment to the Constitution. Do you
> > > > always have to lie?
> > >
> > > Do some research--I am correct. I seem to recall that the letter was
> > > written by Jefferson. He said something like the church and state should
> > > be separate in that letter.
> >
> > Yes, he did. However, that was *not* the basis for the decision. The
> > First Amendment was the basis for the decision.
>
> Jefferson's letter is mentioned in that Supreme Court decision--true or
> false.

You are making the assertion. You tell me. Make sure to back up your
answer with a cite.

IOW, I am not going to do your work for you.

Mitchell Holman

2/20/2012 1:25:00 PM

Jason@nospam.com (Jason) wrote in
news:Jason-1902122338350001@66.53.221.239:

> In article
> <dfritzin-C683E1.14400519022012@news.eternal-september.org>, David
> Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
>
>> In article
>> <Jason-1902121136250001@67-150-171-59.lsan.mdsg-pacwest.com>,
>> Jason@nospam.com (Jason) wrote:
>>
>> > > > >
>> > > > > So what is in the Declaration of Independence has no
>> > > > > relevance to legislation in the USA.
>> > > >
>> > > > It's my point of view that it's more important than any letter
>> > > > that has been written by a president. As you know, the supreme
>> > > > court case related to separation of Church And State was based
>> > > > on a letter that was written by a president.
>> > >
>> > > No, it was based on the First Amendment to the Constitution. Do
>> > > you always have to lie?
>> >
>> > Do some research--I am correct. I seem to recall that the letter
>> > was written by Jefferson. He said something like the church and
>> > state should be separate in that letter.
>>
>> Yes, he did. However, that was *not* the basis for the decision. The
>> First Amendment was the basis for the decision.
>
> Jefferson's letter is mentioned in that Supreme Court decision--true
> or false.
>

What Supreme Court case?

Jason

2/20/2012 11:51:00 PM

In article <Xns9FFF4B287F4BEnomailcomcastnet@216.196.121.131>, Mitchell
Holman <nomailcomcast.net> wrote:

> Jason@nospam.com (Jason) wrote in
> news:Jason-1902122338350001@66.53.221.239:
>
> > In article
> > <dfritzin-C683E1.14400519022012@news.eternal-september.org>, David
> > Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
> >
> >> In article
> >> <Jason-1902121136250001@67-150-171-59.lsan.mdsg-pacwest.com>,
> >> Jason@nospam.com (Jason) wrote:
> >>
> >> > > > >
> >> > > > > So what is in the Declaration of Independence has no
> >> > > > > relevance to legislation in the USA.
> >> > > >
> >> > > > It's my point of view that it's more important than any letter
> >> > > > that has been written by a president. As you know, the supreme
> >> > > > court case related to separation of Church And State was based
> >> > > > on a letter that was written by a president.
> >> > >
> >> > > No, it was based on the First Amendment to the Constitution. Do
> >> > > you always have to lie?
> >> >
> >> > Do some research--I am correct. I seem to recall that the letter
> >> > was written by Jefferson. He said something like the church and
> >> > state should be separate in that letter.
> >>
> >> Yes, he did. However, that was *not* the basis for the decision. The
> >> First Amendment was the basis for the decision.
> >
> > Jefferson's letter is mentioned in that Supreme Court decision--true
> > or false.
> >
>
> What Supreme Court case?

The one that made it illegal for Christians to pray in public schools or
for grade school teachers requiring students to say the Lord's Prayer
together like they done when I was in the second grade. In the 1800's, it
was legal for students to pray or discuss Jesus in their songs and reports
that they were required to write. As a result of the Supreme Court case,
students are no longer allowed to do those sorts of things. This little
girl got in trouble for wanting to sing a Christian song. She would not
have gotten in trouble in the 1800s for singing a Christian song.

Read this:

http://www.bjcpa.org/news/news/060606_s...

ACLU backs student's right to sing Christian song

June 6, 2006

FRENCHTOWN, N.J. (RNS) The American Civil Liberties Union filed a legal
brief Monday (June 5) supporting an elementary school student's right to
express her religion by singing a pop Christian song at a school talent
show.

Maryann and Robert Turton sued the district last year after the school
struck the act from its performance list. School officials said the
Turtons' daughter, Olivia, then in second grade, could not sing the song
"Awesome God" at the evening talent show because it was too religious for
a school setting.

After the suit was filed in federal court in Trenton, the ACLU asked to
intervene in the case.

School officials banned Olivia from singing the song, arguing its content
was unsuitable for the school-run talent show held in May 2005. Concerned
about crossing the line separating church from state, they said the
performance might lead the audience to believe the school endorsed
Olivia's religion.

Olivia did perform, but sang a song from "Annie" along with a group of friends.

A hearing in the case has been tentatively set for July 3 before U.S.
District Judge Stanley Chesler.

Demetrios Stratis, attorney for the Turton family, said he hopes for a
summary judgment, in which the judge would decide the case on the basis of
oral arguments rather than proceeding to trial.

Catherine Lent, president of the Frenchtown Board of Education, last year
said the school does not want to be viewed as being against religion.

"We're not anti-Christian; I went to a Christian college," Lent said.
"We're just anti-this song."

In court documents filed last week, the school board said the song was not
appropriate for several reasons, including "violent imagery," and cited
lyrics that read, "There is thunder in his footsteps and lightning in his
fists" and "It wasn't for no reason that He shed his blood."

-- Bev McCarron and Joe Tyrrell
Copyright 2006 Baptist Joint Committee 200 Maryland Avenue N.E.,
Washington, DC 20002 (202) 544-4226

Mitchell Holman

2/21/2012 1:00:00 AM

Jason@nospam.com (Jason) wrote in
news:Jason-2002121550330001@67-150-168-157.lsan.mdsg-pacwest.com:

> In article <Xns9FFF4B287F4BEnomailcomcastnet@216.196.121.131>,
> Mitchell Holman <nomailcomcast.net> wrote:
>
>> Jason@nospam.com (Jason) wrote in
>> news:Jason-1902122338350001@66.53.221.239:
>>
>> > In article
>> > <dfritzin-C683E1.14400519022012@news.eternal-september.org>, David
>> > Fritzinger <dfritzin@nospamtome.hotmail.com> wrote:
>> >
>> >> In article
>> >> <Jason-1902121136250001@67-150-171-59.lsan.mdsg-pacwest.com>,
>> >> Jason@nospam.com (Jason) wrote:
>> >>
>> >> > > > >
>> >> > > > > So what is in the Declaration of Independence has no
>> >> > > > > relevance to legislation in the USA.
>> >> > > >
>> >> > > > It's my point of view that it's more important than any
>> >> > > > letter that has been written by a president. As you know,
>> >> > > > the supreme court case related to separation of Church And
>> >> > > > State was based on a letter that was written by a president.
>> >> > >
>> >> > > No, it was based on the First Amendment to the Constitution.
>> >> > > Do you always have to lie?
>> >> >
>> >> > Do some research--I am correct. I seem to recall that the letter
>> >> > was written by Jefferson. He said something like the church and
>> >> > state should be separate in that letter.
>> >>
>> >> Yes, he did. However, that was *not* the basis for the decision.
>> >> The First Amendment was the basis for the decision.
>> >
>> > Jefferson's letter is mentioned in that Supreme Court
>> > decision--true or false.
>> >
>>
>> What Supreme Court case?
>
> The one that made it illegal for Christians to pray in public schools
> or for grade school teachers requiring students to say the Lord's
> Prayer together like they done when I was in the second grade. In the
> 1800's, it was legal for students to pray or discuss Jesus in their
> songs and reports that they were required to write. As a result of the
> Supreme Court case, students are no longer allowed to do those sorts
> of things. This little girl got in trouble for wanting to sing a
> Christian song. She would not have gotten in trouble in the 1800s for
> singing a Christian song.
>

No, she would have doubtless been REQUIRED
to sing a Christian song - even if she wasn't
Christian.

See the problem now?

Jim Burns

2/21/2012 3:16:00 PM

On 2/20/2012 7:59 PM, Mitchell Holman wrote:
> Jason@nospam.com (Jason) wrote in
> news:Jason-2002121550330001@67-150-168-157.lsan.mdsg-pacwest.com:
>> In article
>> <Xns9FFF4B287F4BEnomailcomcastnet@216.196.121.131>,
>>Mitchell Holman <nomailcomcast.net> wrote:

>>> What Supreme Court case?
>>
>> The one that made it illegal for Christians to pray in public schools
>> or for grade school teachers requiring students to say the Lord's
>> Prayer together like they done when I was in the second grade. In the
>> 1800's, it was legal for students to pray or discuss Jesus in their
>> songs and reports that they were required to write. As a result of the
>> Supreme Court case, students are no longer allowed to do those sorts
>> of things. This little girl got in trouble for wanting to sing a
>> Christian song. She would not have gotten in trouble in the 1800s for
>> singing a Christian song.
>
> No, she would have doubtless been REQUIRED
> to sing a Christian song - even if she wasn't
> Christian.
>
> See the problem now?

Heck, she would have been required to say the RIGHT KIND
of Christian prayer. This is actual history, not speculation,
and the reason there have been so many Catholic schools in the US.

http://en.wikipedia.org/wiki/Eliot_School...
! On March 7, a teacher at the Eliot School in Boston,
! Miss Sophia Shepard, called on ten-year-old Thomas Whall
! to recite the Ten Commandments. Whall refused because he
! was Catholic and Shepard insisted that the Commandments
! be recited as written in the Protestant King James Bible.

I bet this is the real reason "official" prayers were banned, not
to protect atheists, but to protect RELIGIOUS minorities.

A lot of snake handlers and speakers in tongues hate that decision,
but they can only do that because they are able to ignore that it
is the great seriousness we take religious freedom in this country
that lets their churches exist at all.

comp.lang.ruby

h() or html_escape() not escape the single quote... risky?

SpringFlowers AutumnMoon

Andreas S.

Nobuyoshi Nakada

Free Lunch

DanielSan

David Fritzinger

Mitchell Holman

Jason

Mitchell Holman

Jim Burns

x Login to ForumsZone