Forum: Ruby escaping/stripping all user HTML input

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Luis (Guest)
on 2007-06-28 22:27
(Received via mailing list)
I am writing an application where I know that I do not need to allow
any HTML input from a user.

I am considering using before_filter at the controller level to call a
method that essentially performs the following on the appropriate
members of the params hash:
- call strip_tags()
- escape any remaining characters with h()

The reason why I am doing this is it seems repetitive and error prone
to have to call the above method every time in a view where user input
is being displayed. Ultimately, I would prefer to store the data in as
"non-malicious" format as possible and not have to worry at the
presentation level of escaping that data at a later time.

Is there a better way to do this? Is there existing code that does
this already? Some googling yielded nothing specific other than
postings to the effect of "in your view, make sure to use h()".
Luis (Guest)
on 2007-06-28 23:13
(Received via mailing list)
Oh woops, my mistake! Meant to send this to the Rails list.
This topic is locked and can not be replied to.