(The Ruby tainting facility
is not used other than as a flag on the objects, because anything more would
require a $SAFE level greater than zero, which is Rails-unfriendly.) This reduces the
possibility of cross-site scripting attacks. The plugin is available at http://
agilewebdevelopment.com/plugins/safe_erb.
Further Reading
The HTTP/1.1 specification, RFC 2616, has some guiding principles for security at
the HTTP level (http://www.w3.org/Protocols/rfc2616/rfc2616-sec15.html).
Current Rails best practices for security are summarized at http://www.quarkruby.com/
2007/9/20/ruby-on-rails-security-guide. This guide provides ???cookbook???-style solutions
for many real-world problems such as authentication; mitigating SQL injection,
XSS, and CSRF; handling file uploads; and preventing form spam.
147
Chapter 6 CHAPTER 6
Performance6
Premature optimization is the root of all evil (or at
least most of it) in programming.
??ā€¯Donald Knuth (attributed to C. A. R. Hoare)
Performance is an interesting beast. Performance optimization often has a bad reputation
because it is often performed too early and too often, usually at the expense of
readability, maintainability, and even correctness. Rails is generally fast enough, but
it is possible to make it slow if you are not careful.
You should keep the following guidelines in mind when optimizing performance:
Algorithmic improvements always beat code tweaks
It is very tempting to try to squeeze every last bit of speed out of a piece of code,
but often you can miss the bigger picture.
Pages:
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230