Skip to content

Instantly share code, notes, and snippets.

@benpickles
Created December 18, 2009 10:28
Show Gist options
  • Save benpickles/259423 to your computer and use it in GitHub Desktop.
Save benpickles/259423 to your computer and use it in GitHub Desktop.
# Brutal hack to make all string/text columns alert("hack") if they're not
# being properly escaped.
models = Dir['app/models/*.rb'].map { |path|
name = File.basename(path, '.*')
name.camelize.constantize
}.reject { |klass|
klass.superclass != ActiveRecord::Base
}
hack = '<script type="text/javascript">alert("hack")</script>'
models.each do |model|
text_columns = model.columns.select(&:text?).map(&:name)
if text_columns.any?
puts "Hacking #{model.name}: #{text_columns.join(', ')}"
sql = "UPDATE #{model.table_name} SET "
sql << text_columns.map { |name|
"`#{name}` = '#{hack}'"
}.join(', ')
model.connection.execute sql rescue nil
end
end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment