Article 52W6Q CodeSOD: A Quick Escape

CodeSOD: A Quick Escape

by
Remy Porter
from The Daily WTF on (#52W6Q)

I am old. I'm so old that, when I entered the industry, we didn't have specializations like frontend" and backend" developers. You just had developers, and everybody just sort muddled about. As web browsers have migrated from document display tool" to enh, basically an operating system," in terms of complexity, these two branches of development have gotten increasingly siloed.

Which creates problems, like the one Carlena found. You see, the front-end folks didn't like the way things like quotes were displaying. A quote or a single quote should be represented as a character entity- &#39, for example.

Now, our frontend developers could have sanitized the strings for display on the client side, but making sure the frontend got good data was a backend problem, to their mind. But the backend developer was out of the office on vacation, so what were our struggling frontend folks to do?

 def CustomerHelper.html_encode(string) string.to_str.gsub(";","&#59;").gsub("<","&lt;").gsub(">","&gt;").gsub("\"","&#34;").gsub("\'","&#39;").gsub(")","&#41;").gsub("%","&#37;").gsub("@", "&#64;") end

Well, that doesn't look so bad, does it? It's a little weird that they're escaping ) but not (, but that's probably harmless. Certainly, this isn't the best way, but it's not terrible...

Except that the frontend developers didn't wrap this around sending the data to the frontend. They wrapped this around the save logic. When the name, address, email address, or company name were saved, they'd be saved with HTML entities right in line.

After a quick round of testing, the frontend folks happily saw that everything worked for them, and went back to tweaking CSS rules and having fights over how whether CSS classnames should reflect purpose or behavior.

There was just one little problem. The frontend wasn't the only module which consumed this data. Some of them escaped strings on the client side. So, when the user inputs their name as Miles O'Keefe", the database stores Miles O&#39;Keefe". When client code that escapes on the client side fetches, they convert that into Miles O&#38#39Keefe".

The email sending modules, though, were the ones that had the worst time of it, as every newly modified email address became miles.okeefe&#64;howmuchkeef.com.

Thus the system sat, until the back-end developer got back from their vacation, and they got to head up all the cleanup and desanitization of a week's worth of garbage being added to the database.

proget-icon.png [Advertisement] ProGet supports your applications, Docker containers, and third-party packages, allowing you to enforce quality standards across all components. Download and see how! TheDailyWtf?d=yIl2AUoC8zAZ6PXjlwsyqw
External Content
Source RSS or Atom Feed
Feed Location http://syndication.thedailywtf.com/TheDailyWtf
Feed Title The Daily WTF
Feed Link http://thedailywtf.com/
Reply 0 comments