Hi,
I have a form where a user can input free text including ampersands,
single and double quotes. When I display the text field, I escape it
using h() to prevent XSS hacks etc. but I want the &, ’ and " to be
displayed unescaped. Is there a simple way to do this? The text can
appear in multiple locations on my site, so I really need a global
solution. Should I re-write the h() subroutine and place it in
application.rb?
Lindsay
Argh! This only happens if I escape the text more than once…
h(h(string)).
Lindsay
Hi,
We allow html input from users that needs to be redisplayed back to
the user. I settled on using http://pixel-apes.com/safehtml/. It’s
the only open source ‘package’ that I could find. There’s lots of
articles and ideas on the net on how to do it, but I wanted something
I didn’t need to maintain. Just remember that an XSS style attacks is
a never ending battle. New vulnerabilities are constantly being
discovered, so don’t expect this to be a drop in and forget it
solution.
Although it’s php based, I ended up wrapping it behind an object that
simply shells out and runs a php command line script that takes the
html on stdin and gives back the cleaned html on stdout.
Alex
On Feb 7, 5:12 am, Lindsay B. [email protected]
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs