Rails 3 提供了 match
方法供我们自定义 routes,然而我们要小心使用它以避免“跨站脚本攻击”(XSS Attack)。比如像这样的 routes:
注:(r3 代表 Rails 3,r4 代表 Rails 4)
# routes.rb
# coding=utf-8 | |
__author__ = 'Vincent Ting' | |
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
__author__ = 'Vincent Ting' | |
import cookielib | |
import urllib2 |
#!/usr/bin/env ruby | |
require 'fileutils' | |
require 'debugger' | |
class Fixnum | |
def to_surrogate_pair | |
if self >= 0x10000 && self <= 0x10FFFF | |
high = ((self - 0x10000) / 0x400).floor + 0xD800 | |
low = ((self - 0x10000) % 0x400) + 0xDC00 |
source :rubygems | |
gem "puma" | |
gem "sinatra" |
#!/usr/bin/env sh | |
brew update | |
brew install rbenv | |
brew install ruby-build | |
brew install openssl | |
CONFIGURE_OPTS=--with-openssl-dir=`brew --prefix openssl` rbenv install 2.0.0-preview1 |
The count of contributions (summary of Pull Requests, opened issues and commits) to public repos at GitHub.com from Wed, 21 Sep 2022 till Thu, 21 Sep 2023.
Only first 1000 GitHub users according to the count of followers are taken. This is because of limitations of GitHub search. Sorting algo in pseudocode:
githubUsers
.filter(user => user.followers > 1000)
#!/usr/bin/env python | |
# -*- coding: utf-8 -*- | |
from tornado.wsgi import WSGIContainer | |
from tornado.ioloop import IOLoop | |
from tornado.web import FallbackHandler, RequestHandler, Application | |
from wsgi import app | |
class MainHandler(RequestHandler): | |
def get(self): |
require 'gollum/frontend/app' | |
require 'digest/sha1' | |
class App < Precious::App | |
User = Struct.new(:name, :email, :password_hash, :can_write) | |
before { authenticate! } | |
before /^\/(edit|create|delete|livepreview|revert)/ do authorize_write! ; end | |
helpers do |
class PostsController < ActionController::Base | |
def create | |
Post.create(post_params) | |
end | |
def update | |
Post.find(params[:id]).update_attributes!(post_params) | |
end | |
private |
For a while, I have felt that the following is the correct way to improve the mass assignment problem without increasing the burden on new users. Now that the problem with the Rails default has been brought up again, it's a good time to revisit it.
When creating a form with form_for
, include a signed token including all of the fields that were created at form creation time. Only these fields are allowed.
To allow new known fields to be added via JS, we could add: