Product SiteDocumentation Site

3.1.4. Guidelines and principles

Following are general recommendations based on previous sections:
Always make sure output sent to client is escaped correctly
Automatic ERB escaping in Rails works in most cases, however, developers should still be careful about rendering untrusted data directly to user or misusing html_safe.
Always make sure command arguments send to components (shell, database) are escaped or trusted
Command injection is one of the most understood and best studied attack vectors. Ruby on Rails provides good defense against SQL injection, however developers should be always careful when executing OS command with potentiall untrusted arguments.
Verify routing exposes actions through expected HTTP verbs
An important part of protecting agains CSRF attacks is to make sure actions reachable through HTTP GET do not have side effects. This is something to think about from the very beginning, since cleaning up routing later into development cycle tends to be intrusive and complex.