Forum: Ruby on Rails Prevent HTML input

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
pankaj (Guest)
on 2009-05-09 11:21
(Received via mailing list)
Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj
Colin L. (Guest)
on 2009-05-09 12:06
(Received via mailing list)
What do you mean by preventing the form from accepting html input?  Do
you
want to prevent input while the user is typing, to check it in the
browser
when the user clicks submit and not submit if there is html, or to parse
the
data in the controller after it is submitted and fail validation if
necessary?

Note that the first two of these would not prevent someone posting html
in
the form by manually building the post request rather than using your
form
in a browser.

Colin

2009/5/9 pankaj <removed_email_address@domain.invalid>
pankaj (Guest)
on 2009-05-09 15:05
(Received via mailing list)
I want to parse the data on the server side after it is submitted and
fail validation if necessary?
Regards,
Pankaj
Tom Z Meinlschmidt (Guest)
on 2009-05-09 15:15
(Received via mailing list)
hi,

just strip all the html tags, eg

def save_form
   params[:form]['textarea'].gsub!(/<[^>]*>/,'')
   ...
end

but that's very simple example, you have probably to construct more
sophisticated solution (strip code inside javascripts etc)

tom

pankaj wrote:
> Hi all,
> Is there any plugin to prevent html form accepting HTML in the input,
> throughout the application.
> Regards,
> Pankaj
>

--
===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com  www.maxwellrender.cz  www.lightgems.cz
===============================================================================
pankaj (Guest)
on 2009-05-09 15:41
(Received via mailing list)
How can this save form function be called for all the params passed?
Tom Z Meinlschmidt (Guest)
on 2009-05-09 17:45
(Received via mailing list)
params[:form].each{|k,v| v.gsub!(/<[^>]*>/,'') }

pankaj wrote:
>> end
>>> Regards,
>>> Pankaj
>> --
>> ===============================================================================
>> Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
>>
>> www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
>> ===============================================================================
> >


--
===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com  www.maxwellrender.cz  www.lightgems.cz
===============================================================================
Matt J. (Guest)
on 2009-05-09 19:39
(Received via mailing list)
I'd also recommend that you use a somewhat more intelligent solution -
take a look at SanitizeHelper, part of ActionView:

http://api.rubyonrails.org/classes/ActionView/Help...

There's a lot of gotchas in trying to clean up user input, so it's
better if you can use a well-tested solution.

--Matt J.
pankaj (Guest)
on 2009-05-10 14:59
(Received via mailing list)
thanks everyone for your replies.
I want to use the sanitize helper in one central location, so that i
donot have write it for each form.
Regards,
Pankaj
Julian L. (Guest)
on 2009-05-11 05:24
(Received via mailing list)
On 09/05/2009, at 6:05 PM, Colin L. <removed_email_address@domain.invalid> 
wrote:

> What do you mean by preventing the form from accepting html input?
> Do you want to prevent input while the user is typing, to check it
> in the browser when the user clicks submit and not submit if there
> is html, or to parse the data in the controller after it is
> submitted and fail validation if necessary?
>

He means is there JavaScript client side validation to save a server
round trip for validation? I reckon that oughta be in rails 3 form
helpers.

Blog: http://random8.zenunit.com/
Learn: http://sensei.zenunit.com/
Twitter: http://twitter.com/random8r
Ram (Guest)
on 2009-05-11 13:27
(Received via mailing list)
Hi Pankaj,

You'd like a look at the XSS Terminate plugin. github.com/look/
xss_terminate/tree/master

Install and forget ... as the Readme says. :)
This topic is locked and can not be replied to.