[LRUG] Double submit

James Coglan jcoglan at gmail.com
Sat Jan 18 02:45:00 PST 2014


On 17 January 2014 14:22, Andrew Stewart <boss at airbladesoftware.com> wrote:

> I wrote this five years ago and haven't needed to revisit it since.  These
> days there are doubtless better ways to handle AJAX responses and update
> the page ;)
>

No, this is a perfectly fine way to things, especially since Rails provides
XSS protection when rendering HTML on the server. The main other sensible
way to do this is for the server to return JSON, and have the client-side
code turn that into HTML. You do however need to make sure the client-side
code performs HTML-escaping of content to avoid XSS attacks, or use a
templating language like EJS or Jade that does this for you.

Although Rails encourages it, you should not return JavaScript in response
to an Ajax call, especially not for GET requests since it leads to CSRF
attacks. See https://github.com/jcoglan/unsafe_sjr for a demo.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20140118/428da4b8/attachment-0003.html>


More information about the Chat mailing list