How to "sanitize" a link?

Hi, i wan’t to permit users to send their own content, text, html, and
stuff like that. It should also be permit them to send their own design,
using div, span, internal style attributes and so on. Obviously i’d like
to protect everything forbidding javascript, but permitting object and
embedded (for youtube, gvideo, etc).
From a previous post the suggestion was wonko/sanitize:
http://www.ruby-forum.com/topic/186697
But i’ve not found time to try it yet.
Btw, my question now is another, how can i remove external links, but
keeping the text link and internal links?
I mean, if a user insert “my
site
” it should be sanitized to just “my site”, instead if he insert
read this page” it should keep it as it
is (domain.com is “whitelisted”). And it also should remove others like
mailto:, ftp:, etc (just keep http and https)
Any hint about this ? (considering the first lines about styles, and
which sanitezer to use)
thank you

Take a look at: http://guides.rubyonrails.org/security.html

and then look at what you’re trying to provide.

Is it really worth the risk?

A compromise might be http://redcloth.org/ a Textile to Ruby module

On Jun 29, 5:59 pm, Xdmx X. [email protected]

Hi AGoofin, unfortunatly i now the risks to allow such tags and
attributes, but it’s a requirement of the system, and textile (or
similar) aren’t so powerful (you can’t create templates like you do with
css and divs)
Do you have any hint about the link escaper?

Xdmx X. wrote:

From a previous post the suggestion was wonko/sanitize:
http://www.ruby-forum.com/topic/186697
http://wonko.com/post/sanitize

But i’ve not found time to try it yet.
This looks exactly like what you need. Why are you asking again if you
have a recommendation for something that you haven’t even tried?

On Jun 29, 5:59 pm, Xdmx X. [email protected]
wrote:

site" it should be sanitized to just “my site”, instead if he insert
read this page” it should keep it as it
is (domain.com is “whitelisted”). And it also should remove others like
mailto:, ftp:, etc (just keep http and https)
Any hint about this ? (considering the first lines about styles, and
which sanitezer to use)
thank you

Posted viahttp://www.ruby-forum.com/.

even without Sanitizer, this seems fairly trivial:

irb(main):017:0> links = “click here for
your FACE

this domain is
allowed

irb(main):018:0> allowed = “http://whitelisted.com”
irb(main):019:0> doc = Hpricot links
irb(main):020:0> (doc/"//a").each { |tag| tag.swap(tag.inner_text)
unless tag[:href] == allowed }
href=“http://whitelisted.com”> “this domain is allowed” }]>
irb(main):021:0> doc.to_s
=> "click here for your FACE
<a href="http://whitelisted.com
“>this domain is allowed”

pharrington wrote:

even without Sanitizer, this seems fairly trivial:

irb(main):017:0> links = “click here for
your FACE

this domain is
allowed

irb(main):018:0> allowed = “http://whitelisted.com”
irb(main):019:0> doc = Hpricot links
irb(main):020:0> (doc/"//a").each { |tag| tag.swap(tag.inner_text)
unless tag[:href] == allowed }
href=“http://whitelisted.com”> “this domain is allowed” }]>
irb(main):021:0> doc.to_s
=> "click here for your FACE
<a href="http://whitelisted.com
“>this domain is allowed”

Hi, i’m trying this solution, but i’ve found that when
links = ‘
hpricot dies with “The error occurred while evaluating nil.parent=”
when it should return just the image: ‘
Any idea on how solve this?

I’ve also changed it with a regex:
(doc/"//a").each { |tag| tag.swap(tag.inner_text) unless tag[:href]
=~ /http[s]{0,1}://[-A-Za-z0-9_.]domain.com./i }

in order to accept www.domain.com, domain.com, sub.domain.com, etc… (i
just need to optimize that regex telling that it’s needed a dot when
there is something before… in order to accept www.domain.com,
domain.com, but deny anotherdomain.com)

thank you

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs