I've read and understand the great ways Rails sanitizes data when going from server to client, but I have a question that I would love to get some guidance/input on.
Some developers are now discussing sanitizing all data and fields on form input, but I feel this is complete overkill since the problem is that we have client side vulnerablities with the popups, etc.
Does anyone out there actually sanitize values on form validation? Not only do I feel that this is overkill, it could lead to problems with data changing unexpectantly, etc.
What are your thoughts when architecting field persistance in a Rails app to prevent XSS?
Thanks Jacob, I'm definitely leaning to putting into the ViewModel to keep all Business/View logic in a single entity, was curious what the Rails community's thoughts were.
Appreciate the responses!
Thanks Jack, so you would use a helper like:
Text: <%= custom_text(status) %>
The only con I see with this approach is now you have a ViewModel and a helper file vs keeping all of the logic in the ViewModel.
If that's the best convention though I'll go with it!
I have a view that is showing a list of steps. The steps are being pulled from the db with a status field.
There is a method that I've created that creates custom text based on the status, ie:
def return_custom_text(status) ... some code to determine the custom string end
I already have a ViewModel that is assembling the data and has an attribute called 'steps' that the view will use to list the steps, but I need to add the custom_text to each step.
Should I create a helper method and call from the view, or simply create a method in my ViewModel that loops through the steps and creates a new array with the added 'custom_text' attribute?
I was hoping to avoid helper methods since I'm trying to keep my views as codeless as possible, what is the best practice here?