Posted over 10 years ago. Visible to the public. Linked content.

Unsafe string methods in Rails

When you encouter an unsafe string that you actually made html_safe before, perhaps you called one of the following methods on it:

"capitalize", "chomp", "chop", "delete", "downcase", "gsub", "lstrip", "next", "reverse", "rstrip", "slice", "squeeze", "strip", "sub", "succ", "swapcase", "tr", "tr_s", "upcase"

All these methods are possibly unsafe, so they will return an unsafe String even if called on a SafeBuffer. If used for in-place replacements (e.g. sub! instead of sub), a TypeError is raised.

This is to prevent tricks like my_safe_string.gsub!(/.*/, params[:user_input]).

By refactoring problematic code and creating automated tests, makandra can vastly improve the maintainability of your Rails application.

Owner of this card:

Dominik Schöler
Last edit:
over 9 years ago
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Dominik Schöler to makandra dev
This website uses short-lived cookies to improve usability.
Accept or learn more