Filtering user comments

Currently my comments are filtered by the h-command which is fine but
I’d like to add some expections to it. Well, I dont need to use the
h-command but a system that would allow a few html tags and deny all
others would be perfect.

Is there such code out there somewhere that I could use? I tried to
google around but couldn’t find anything. I also could do the whole
thing myself but the regexp bits are a bit too hard.

RoR newbie wrote:

Posted via http://www.ruby-forum.com/.
Instead of h try using sanitize it should escape the bad stuff like
script tags

On 6 October 2006 15:58, RoR newbie wrote:

Currently my comments are filtered by the h-command which is fine but
I’d like to add some expections to it. Well, I dont need to use the
h-command but a system that would allow a few html tags and deny all
others would be perfect.

Is there such code out there somewhere that I could use? I tried to
google around but couldn’t find anything. I also could do the whole
thing myself but the regexp bits are a bit too hard.
This concept is called “html white list”… Try googling on it, I’m sure
there
are some plugins already available for that.

Maxim K. wrote:

On 6 October 2006 15:58, RoR newbie wrote:

Currently my comments are filtered by the h-command which is fine but
I’d like to add some expections to it. Well, I dont need to use the
h-command but a system that would allow a few html tags and deny all
others would be perfect.

Is there such code out there somewhere that I could use? I tried to
google around but couldn’t find anything. I also could do the whole
thing myself but the regexp bits are a bit too hard.
This concept is called “html white list”… Try googling on it, I’m sure
there
are some plugins already available for that.

Make sure that whatever HTML white list method you choose, that it also
deal with attributes. The Rails Recipe has an HTML whitelist recipe that
doesn’t deal with attributes at all, making it unsafe. I could throw in
cookie stealing javascript events or style attributes that put in nasty
background images.

http://fora.pragprog.com/rails-recipes/posts/show/127

That’s one recipe, and my method of making it safe is posted as a
comment.

-DJCP

Daniel Collis-puro wrote:

http://fora.pragprog.com/rails-recipes/posts/show/127

How can I whitelist attributes with that example and your patch to it?

On 10/6/06, Daniel Collis-puro [email protected] wrote:

RoR newbie wrote:

How can I whitelist attributes with that example and your patch to it?

I’ve got a helper method I’m finishing up the Rdoc on. I’ll post a link
when it’s ready, probably much later tonight or this weekend.

http://svn.techno-weenie.net/projects/plugins/white_list/


Rick O.
http://weblog.techno-weenie.net
http://mephistoblog.com

RoR newbie wrote:

How can I whitelist attributes with that example and your patch to it?

I’ve got a helper method I’m finishing up the Rdoc on. I’ll post a link
when it’s ready, probably much later tonight or this weekend.

Rick O. wrote:

On 10/6/06, Daniel Collis-puro [email protected] wrote:

RoR newbie wrote:

How can I whitelist attributes with that example and your patch to it?

I’ve got a helper method I’m finishing up the Rdoc on. I’ll post a link
when it’s ready, probably much later tonight or this weekend.

http://svn.techno-weenie.net/projects/plugins/white_list/

Ha. That’s funny.

Mine is ridiculously similar. Big difference is that I’ve set it up to
take allowed tags/attributes as a data structure, allowing you to easily
define different tag/attribute profiles for different purposes in one
go.

I’ll throw it up here anyway.

-DJCP

Ha. That’s funny.

Mine is ridiculously similar. Big difference is that I’ve set it up to
take allowed tags/attributes as a data structure, allowing you to easily
define different tag/attribute profiles for different purposes in one
go.

I’ll throw it up here anyway.

I’m seeing the need for that actually. I’m not sure it’s anything I’d
have to add support for in my plugin though, I’ll probably just make
helpers like white_list_comments that pass in special customizations.


Rick O.
http://weblog.techno-weenie.net
http://mephistoblog.com

Rick O. wrote:

I’m seeing the need for that actually. I’m not sure it’s anything I’d
have to add support for in my plugin though, I’ll probably just make
helpers like white_list_comments that pass in special customizations.

Here it is.

http://www.kookdujour.com/blog/details/11

Keep in mind I just picked up Ruby and Rails mid-August, so forgive me
if you see me baby-talking in my code. Just think “aww… that’s so
cute! He’s learning to talk like big people do!”

You can test it out interactively with the default profile at
http://www.kookdujour.com/filter_test . I’ve attempted to make the Rdoc
as clear as possible, but generally I’m pretty happy with the
flexibility this helper provides in terms of making output “safe”.

The way I’ll use it is to define different “tag profiles” as constants
in my models, then pass those tag profiles to “unsafe” HTML right before
display. Because the profile is a data structure, one could build a more
interactive way of defining what tags/attributes are allowed to who.

Feedback is GREATLY appreciated.

-DJCP

On 10/6/06, Daniel Collis-puro [email protected] wrote:

thing myself but the regexp bits are a bit too hard.
http://fora.pragprog.com/rails-recipes/posts/show/127

That’s one recipe, and my method of making it safe is posted as a
comment.

-DJCP

I would recommend contacting the author to have this included in the
next edition.

-Conrad

http://groups.google.com/group/rubyonrails-talk

~----------~----~----~----~------~----~------~–~—

I’m having hard time trying to call this from the model. (it can’t be
included and can’t be called as static function as well) I think the
:attributes clashes with AR.
Is there any reason this is not done while saving to the model
(database), so the call happens only when saving not on every view
request?

Sorry, forgot to mention that I’m referring to the white_list plugin.

Makes sense enough :slight_smile: thanks for the input and the code contribution!

Reynard wrote:

I’m having hard time trying to call this from the model. (it can’t be
included and can’t be called as static function as well) I think the
:attributes clashes with AR.
Is there any reason this is not done while saving to the model
(database), so the call happens only when saving not on every view
request?

Yes. I don’t like molesting user input. And you may find that you want
to change rendering policies down the road, so it’s better to have the
raw input available or you won’t be able to.

If you’re going to let people edit stuff they create and you render on
save, then you’ll be forcing them to edit text different than what they
actually entered. Unless you set up two fields - one to hold the “raw”
input and another to hold the “rendered” input. But I don’t think it’s
worth it.

If you’re using fragment (or other) rails caching on your rendered
output (you probably should, depending on your app) then the overhead of
the render on each view should be negligble.

-DJCP

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs