Partially escape user entered text?


#1

Hi,

I have a form where a user can input free text including ampersands,
single and double quotes. When I display the text field, I escape it
using h() to prevent XSS hacks etc. but I want the &, ’ and " to be
displayed unescaped. Is there a simple way to do this? The text can
appear in multiple locations on my site, so I really need a global
solution. Should I re-write the h() subroutine and place it in
application.rb?

Lindsay


#2

Argh! This only happens if I escape the text more than once…
h(h(string)).

Lindsay


#3

Hi,

We allow html input from users that needs to be redisplayed back to
the user. I settled on using http://pixel-apes.com/safehtml/. It’s
the only open source ‘package’ that I could find. There’s lots of
articles and ideas on the net on how to do it, but I wanted something
I didn’t need to maintain. Just remember that an XSS style attacks is
a never ending battle. New vulnerabilities are constantly being
discovered, so don’t expect this to be a drop in and forget it
solution.

Although it’s php based, I ended up wrapping it behind an object that
simply shells out and runs a php command line script that takes the
html on stdin and gives back the cleaned html on stdout.

Alex

On Feb 7, 5:12 am, Lindsay B. removed_email_address@domain.invalid