Mark Kadlec


120 Experience
0 Lessons Completed
0 Questions Solved


Posted in Preventing XSS in a Rails app, accepted architecture?

I've read and understand the great ways Rails sanitizes data when going from server to client, but I have a question that I would love to get some guidance/input on.

Recently it was discovered there were a couple of places in our code that took user input (first_name, last_name) and created a javascript popup all on the client. You can see the issue where a user could potentially provide a name of <script>hello()</script>

Some developers are now discussing sanitizing all data and fields on form input, but I feel this is complete overkill since the problem is that we have client side vulnerablities with the popups, etc.

Does anyone out there actually sanitize values on form validation? Not only do I feel that this is overkill, it could lead to problems with data changing unexpectantly, etc.

What are your thoughts when architecting field persistance in a Rails app to prevent XSS?

Posted in What is the best way to house view logic?

Thanks Jacob, I'm definitely leaning to putting into the ViewModel to keep all Business/View logic in a single entity, was curious what the Rails community's thoughts were.

Appreciate the responses!

Posted in What is the best way to house view logic?

Thanks Jack, so you would use a helper like:

Text: <%= custom_text(status) %>

The only con I see with this approach is now you have a ViewModel and a helper file vs keeping all of the logic in the ViewModel.

If that's the best convention though I'll go with it!

Posted in What is the best way to house view logic?

I have a view that is showing a list of steps. The steps are being pulled from the db with a status field.

There is a method that I've created that creates custom text based on the status, ie:

def return_custom_text(status)
  ... some code to determine the custom string

I already have a ViewModel that is assembling the data and has an attribute called 'steps' that the view will use to list the steps, but I need to add the custom_text to each step.

Should I create a helper method and call from the view, or simply create a method in my ViewModel that loops through the steps and creates a new array with the added 'custom_text' attribute?

I was hoping to avoid helper methods since I'm trying to keep my views as codeless as possible, what is the best practice here?