Currently my comments are filtered by the h-command which is fine but I'd like to add some expections to it. Well, I dont need to use the h-command but a system that would allow a few html tags and deny all others would be perfect. Is there such code out there somewhere that I could use? I tried to google around but couldn't find anything. I also could do the whole thing myself but the regexp bits are a bit too hard.
on 06.10.2006 13:58
on 06.10.2006 14:21
RoR newbie wrote:
> Posted via http://www.ruby-forum.com/.
Instead of h try using sanitize it should escape the bad stuff like
script tags
on 06.10.2006 14:47
On 6 October 2006 15:58, RoR newbie wrote: > Currently my comments are filtered by the h-command which is fine but > I'd like to add some expections to it. Well, I dont need to use the > h-command but a system that would allow a few html tags and deny all > others would be perfect. > > Is there such code out there somewhere that I could use? I tried to > google around but couldn't find anything. I also could do the whole > thing myself but the regexp bits are a bit too hard. This concept is called "html white list"... Try googling on it, I'm sure there are some plugins already available for that.
on 06.10.2006 15:11
Maxim Kulkin wrote: > On 6 October 2006 15:58, RoR newbie wrote: >> Currently my comments are filtered by the h-command which is fine but >> I'd like to add some expections to it. Well, I dont need to use the >> h-command but a system that would allow a few html tags and deny all >> others would be perfect. >> >> Is there such code out there somewhere that I could use? I tried to >> google around but couldn't find anything. I also could do the whole >> thing myself but the regexp bits are a bit too hard. > This concept is called "html white list"... Try googling on it, I'm sure > there > are some plugins already available for that. Make sure that whatever HTML white list method you choose, that it also deal with attributes. The Rails Recipe has an HTML whitelist recipe that doesn't deal with attributes at all, making it unsafe. I could throw in cookie stealing javascript events or style attributes that put in nasty background images. http://fora.pragprog.com/rails-recipes/posts/show/127 That's one recipe, and my method of making it safe is posted as a comment. -DJCP
on 06.10.2006 16:28
Daniel Collis-puro wrote:
> http://fora.pragprog.com/rails-recipes/posts/show/127
How can I whitelist attributes with that example and your patch to it?
on 06.10.2006 21:01
RoR newbie wrote:
> How can I whitelist attributes with that example and your patch to it?
I've got a helper method I'm finishing up the Rdoc on. I'll post a link
when it's ready, probably much later tonight or this weekend.
on 07.10.2006 03:59
On 10/6/06, Daniel Collis-puro <rails-mailing-list@andreas-s.net> wrote: > > RoR newbie wrote: > > > How can I whitelist attributes with that example and your patch to it? > > I've got a helper method I'm finishing up the Rdoc on. I'll post a link > when it's ready, probably much later tonight or this weekend. > http://svn.techno-weenie.net/projects/plugins/white_list/ -- Rick Olson http://weblog.techno-weenie.net http://mephistoblog.com
on 07.10.2006 04:30
Rick Olson wrote: > On 10/6/06, Daniel Collis-puro <rails-mailing-list@andreas-s.net> wrote: >> >> RoR newbie wrote: >> >> > How can I whitelist attributes with that example and your patch to it? >> >> I've got a helper method I'm finishing up the Rdoc on. I'll post a link >> when it's ready, probably much later tonight or this weekend. >> > > http://svn.techno-weenie.net/projects/plugins/white_list/ > Ha. That's funny. Mine is ridiculously similar. Big difference is that I've set it up to take allowed tags/attributes as a data structure, allowing you to easily define different tag/attribute profiles for different purposes in one go. I'll throw it up here anyway. -DJCP
on 07.10.2006 07:35
> Ha. That's funny. > > Mine is ridiculously similar. Big difference is that I've set it up to > take allowed tags/attributes as a data structure, allowing you to easily > define different tag/attribute profiles for different purposes in one > go. > > I'll throw it up here anyway. I'm seeing the need for that actually. I'm not sure it's anything I'd have to add support for in my plugin though, I'll probably just make helpers like white_list_comments that pass in special customizations. -- Rick Olson http://weblog.techno-weenie.net http://mephistoblog.com
on 07.10.2006 11:55
On 10/6/06, Daniel Collis-puro <rails-mailing-list@andreas-s.net> wrote: > >> thing myself but the regexp bits are a bit too hard. > http://fora.pragprog.com/rails-recipes/posts/show/127 > > That's one recipe, and my method of making it safe is posted as a > comment. > > -DJCP I would recommend contacting the author to have this included in the next edition. -Conrad > http://groups.google.com/group/rubyonrails-talk > ~----------~----~----~----~------~----~------~--~---
on 07.10.2006 23:10
Rick Olson wrote: > > I'm seeing the need for that actually. I'm not sure it's anything I'd > have to add support for in my plugin though, I'll probably just make > helpers like white_list_comments that pass in special customizations. > Here it is. http://www.kookdujour.com/blog/details/11 Keep in mind I just picked up Ruby and Rails mid-August, so forgive me if you see me baby-talking in my code. Just think "aww... that's so cute! He's learning to talk like big people do!" You can test it out interactively with the default profile at http://www.kookdujour.com/filter_test . I've attempted to make the Rdoc as clear as possible, but generally I'm pretty happy with the flexibility this helper provides in terms of making output "safe". The way I'll use it is to define different "tag profiles" as constants in my models, then pass those tag profiles to "unsafe" HTML right before display. Because the profile is a data structure, one could build a more interactive way of defining what tags/attributes are allowed to who. Feedback is GREATLY appreciated. -DJCP
on 13.11.2006 17:21
I'm having hard time trying to call this from the model. (it can't be included and can't be called as static function as well) I think the :attributes clashes with AR. Is there any reason this is not done while saving to the model (database), so the call happens only when saving not on every view request?
on 13.11.2006 17:25
Sorry, forgot to mention that I'm referring to the white_list plugin.
on 13.11.2006 17:27
Reynard wrote: > I'm having hard time trying to call this from the model. (it can't be > included and can't be called as static function as well) I think the > :attributes clashes with AR. > Is there any reason this is not done while saving to the model > (database), so the call happens only when saving not on every view > request? Yes. I don't like molesting user input. And you may find that you want to change rendering policies down the road, so it's better to have the raw input available or you won't be able to. If you're going to let people edit stuff they create and you render on save, then you'll be forcing them to edit text different than what they actually entered. Unless you set up two fields - one to hold the "raw" input and another to hold the "rendered" input. But I don't think it's worth it. If you're using fragment (or other) rails caching on your rendered output (you probably should, depending on your app) then the overhead of the render on each view should be negligble. -DJCP
on 13.11.2006 17:35
Makes sense enough :) thanks for the input and the code contribution!