Passing fullstops (periods) and forward slashes in a GET request? - ruby-on-rails

I have built a form that submits values to Wufoo as a GET request in the URL. I cannot get it to work if any of the values (in a textarea) contain a line-break or a forward slash. Is there a way to encode these in a URL?
This is being done in Rails.

I thought Rails would do that for you. But if you need to do it manually, you can use CGI::escape, e.g.
> require 'cgi'
...
> CGI.escape("hello%there\nworld")
=> "hello%25there%0Aworld"
EDIT:
Actually, CGI does not seem to escape a dot. URI can be used instead, it takes an extra parameter that lets you list extra characters you want escaped:
URI.escape("hello.there%world", ".")

http://en.wikipedia.org/wiki/Percent-encoding

Related

Match double slash in rails route constraint

Suppose I am expecting a url as part of my route - maybe a callback url or similar - I might use the following route:
get '/mymodel/:url', to: 'mycontroller#docallback', url: /.*/
Now I would like to be able to go to http://www.myapp.com/mymodel/http://www.google.co.uk/ and process http://www.google.co.uk/ in mycontroller - but it is processed as http:/www.google.co.uk/ (one slash). How can I rectify this? Is the regex wrong or is there some flag I have to set?
I don't think that "http://www.myapp.com/mymodel/http://www.google.co.uk/" is a valid url.
Normally if you want to pass a url as a parameter you would call CGI.escape on it first, which would convert "http://www.google.co.uk/" to "http%3A%2F%2Fwww.google.co.uk%2F" CGI.escape will turn any string into a url-safe version of itself, basically replacing any characters which have a special function in a url, like ":/?&" and also space and some other characters which would otherwise break the formatting.
So, you would end up with a url like
"http://www.myapp.com/mymodel/http%3A%2F%2Fwww.google.co.uk%2F"
which would come through in params like
params = {:url => "http://www.google.co.uk/"}
Note how it's been unescaped here: Rails automatically* calls CGI.unescape on parameter values before putting them into the params hash.
However, this url
"http://www.myapp.com/mymodel/http%3A%2F%2Fwww.google.co.uk%2F"
looks pretty weird to me. It would be better to be more explicit and pass it through as a named parameter in the url itself, like
"http://www.myapp.com/mymodel?url=http%3A%2F%2Fwww.google.co.uk%2F"
which will require a slight change to your routes.
* I think Rails will do this but it might depend on circumstances. Try it.
...Turned out that the request was not encoded on the client side before being sent, solution was to use encodeURIComponent() on the url before sending it.

What is the proper way to sanitize user input when using a Ruby system call?

I have a Ruby on Rails Application that is using the X virtual framebuffer along with another program to grab images from the web. I have structured my command as shown below:
xvfb-run --server-args=-screen 0 1024x768x24 /my/c++/app #{user_provided_url}
What is the best way to make this call in rails with the maximum amount of safety from user input?
You probably don't need to sanitize this input in rails. If it's a URL and it's in a string format then it already has properly escaped characters to be passed as a URL to a Net::HTTP call. That said, you could write a regular expression to check that the URL looks valid. You could also do the following to make sure that the URL is parse-able:
uri = URI.parse(user_provided_url)
You can then query the object for it's relevant parts:
uri.path
uri.host
uri.port
Maybe I'm wrong, but why don't you just make sure that the string given is really an URL (URI::parse), surround it with single quotes and escape any single quote (') character that appears inside?

slashes in url variables

I have set up my coldfusion application to have dynamic urls on the page, such as
www.musicExplained/index.cfm/artist/:VariableName
However my variable names will sometimes contain slashes, such as
www.musicExplained/index.cfm/artist/GZA/Genius
This is causing a problem, because my application presumes that the slash in the variable name represents a different section of the website, the artists albums. So the URL will fail.
I am wondering if there is anyway to prevent this from happening? Do I need to use a function that replaces slashes in the variable names with another character?
You need to escape the slashes as %2F.
You could easily replace the forward slashes / with something like an underscore _ such as Wikipedia uses for spaces. Replacing special characters with underscores, etc., is common practice.
You need to escape those but don't just replace it by %2F manually. You can use URLEncoder for this.
Eg URLEncoder.encode(url, "UTF-8")
Then you can say
yourUrl = "www.musicExplained/index.cfm/artist/" + URLEncoder.encode(VariableName, "UTF-8")
Check out this w3schools page about "HTML URL Encoding Reference":
https://www.w3schools.com/tags/ref_urlencode.asp
for / you would escape with %2F

rails helper to create a valid URI (with escape characters)

is there any existing rails helper to create a valid URL?
Specifically, I am generating a Web URL with some parameters that having special character (for e.g space i need to convert into + , and many others special characters).
http://domain.name?param1=ABC+DEF&param2=GHI
Thanks.
You can use CGI.escape to do that.
CGI.escape("foo bar") # 'foo+bar'

Rails: post data with a '+' is getting set to a blank

I have post data that includes a '+' sign. Once it makes it to the server the raw post data is showing the '+' sign but once the post data makes it into the param hash the '+' sign has been converted to a blank. Any ideas on how to make it NOT do that?
If you replace your '+' signs with '%2B', this should resolve the issue.
However, also note that you probably need to check your ampersands, percent signs, and other characters as well. The server receiving your post data is probably expecting URLEncoded data.
In a nutshell, if you replace % signs with %25, then replace & with %26, replace ? with %3F, replace # with %23, and replace + signs with %2B; you will cover most of the issues you can encounter.
A more in-depth list of replacements can be found at these links.
HTML Url Encoding (w3schools)
Percent-Encoding (wikipedia)
Have a look at the CGI.escape method in the standard library that will do this for you:
irb(main):001:0> require 'cgi'
=> true
irb(main):002:0> CGI.escape 'foo+bar&baz?qux quux/corge'
=> "foo%2Bbar%26baz%3Fqux+quux%2Fcorge"
There's also a CGI.unescape method should you need to convert back.
Try replacing the + with %2B.
Not sure why that is happening. Normally + signs make it through to the params. Can you post your rails versions. Also try escaping the "+" sign with "+" or its CGI equivalent "%2B" to see if it makes a difference.
there is a Ruby call to handle all this for you so you don't need to figure out the characters yourself
require 'uri'
url = http://www.google.com?a=this is a test
URI.escape(url, Regexp.new("[^#{URI::PATTERN::UNRESERVED}]"))

Resources