TechEcho

9 comments

tmoertelabout 12 years ago

That Rails has an escape_once method is a big part of the reason I stopped using Rails. If you think "double escaping" is a problem to be solved by creating a helper method that won't escape what's already escaped, now you have two problems.EDIT TO ELABORATE:Problem 1 is the original problem, that parts of your code do not agree upon what a particular string represents. This is the "strings problem," the mother of XSS and injection vulnerabilities. [1]Problem 2 is that the escape_once method papers over these problems, making them harder to detect, and preventing you from hunting down the logic errors that cause them. (Since these errors often occur in upstream code, you need to find them before they execute to be safe, which is why compile-time methods [2] work best.)[1] <a href="http://blog.moertel.com/posts/2007-08-15-a-bright-future-security-and-modern-type-systems.html" rel="nofollow">http://blog.moertel.com/posts/2007-08-15-a-bright-future-sec...</a>[2] <a href="http://blog.moertel.com/posts/2006-10-18-a-type-based-solution-to-the-strings-problem.html" rel="nofollow">http://blog.moertel.com/posts/2006-10-18-a-type-based-soluti...</a>

评论 #5567663 未加载

评论 #5566890 未加载

rmckayflemingabout 12 years ago

And here I thought that Ambrosia just released the Escape Velocity source code.

评论 #5567822 未加载

评论 #5567272 未加载

评论 #5567251 未加载

评论 #5567295 未加载

评论 #5567087 未加载

评论 #5567175 未加载

lobster_johnsonabout 12 years ago

To people horrified by the Rails code, keep in mind that Github is running Rails 2.3, which is very old and near the end of LTS. Rails 3.x has reworked the entire escaping situation and now avoids the re-escaping trap (strings must be flagged as "HTML safe", otherwise they are escaped on final injection into a document).

评论 #5568740 未加载

minimaxabout 12 years ago

"Just by replacing the escaping function with a more optimized one, we've reduced the average request time by 45ms, and we're allocating 20,000 less Ruby objects per request. That was a lot of escaped HTML right there!"I generally stay away from web development so forgive me if this one is obvious, but why does so much text need to have HTML escaping performed in order to render the page? Also is there a way to quantify how much text that is? Like a few K per page or a few hundred K?

评论 #5567856 未加载

评论 #5567707 未加载

评论 #5567592 未加载

评论 #5567468 未加载

Irishsteveabout 12 years ago

What a disappointing post. After the ambrosia software announcement the other day I thought they had open sourced escape velocity.

purephaseabout 12 years ago

Very cool. I'll have to check this out. That profile tool looks interesting too. I've been using the rack-mini-profiler gem but it might be a good idea to do a deeper dive.As always GH, thanks for sharing.

jamesaguilarabout 12 years ago

I'm always amazed by these startups doing what _seems_ like really simple optimizations and reaping these enormous benefits. If your tools support profiling, you should at least give it a shot once in a while. The fruit are hanging low indeed if Github can reap this kind of reward with this small a tweak.

mbellabout 12 years ago

FTA: "273,006 objs avg/req"Wow, that is...a lot...is that mostly rails or is that in user code?

评论 #5570389 未加载

评论 #5568866 未加载

silasbabout 12 years ago

I love stories like this. Make me wish I could spend more time in Ruby land creating/fixing slow code.