Prevent HTML input


#1

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj


#2

What do you mean by preventing the form from accepting html input? Do
you
want to prevent input while the user is typing, to check it in the
browser
when the user clicks submit and not submit if there is html, or to parse
the
data in the controller after it is submitted and fail validation if
necessary?

Note that the first two of these would not prevent someone posting html
in
the form by manually building the post request rather than using your
form
in a browser.

Colin

2009/5/9 pankaj removed_email_address@domain.invalid


#3

I want to parse the data on the server side after it is submitted and
fail validation if necessary?
Regards,
Pankaj


#4

How can this save form function be called for all the params passed?


#5

params[:form].each{|k,v| v.gsub!(/<[^>]*>/,’’) }

pankaj wrote:

end

Regards,
Pankaj

===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz


#6

hi,

just strip all the html tags, eg

def save_form
params[:form][‘textarea’].gsub!(/<[^>]*>/,’’)

end

but that’s very simple example, you have probably to construct more
sophisticated solution (strip code inside javascripts etc)

tom

pankaj wrote:

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz


#7

thanks everyone for your replies.
I want to use the sanitize helper in one central location, so that i
donot have write it for each form.
Regards,
Pankaj


#8

On 09/05/2009, at 6:05 PM, Colin L. removed_email_address@domain.invalid wrote:

What do you mean by preventing the form from accepting html input?
Do you want to prevent input while the user is typing, to check it
in the browser when the user clicks submit and not submit if there
is html, or to parse the data in the controller after it is
submitted and fail validation if necessary?

He means is there JavaScript client side validation to save a server
round trip for validation? I reckon that oughta be in rails 3 form
helpers.

Blog: http://random8.zenunit.com/
Learn: http://sensei.zenunit.com/
Twitter: http://twitter.com/random8r


#9

I’d also recommend that you use a somewhat more intelligent solution -
take a look at SanitizeHelper, part of ActionView:

http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

There’s a lot of gotchas in trying to clean up user input, so it’s
better if you can use a well-tested solution.

–Matt J.


#10

Hi Pankaj,

You’d like a look at the XSS Terminate plugin. github.com/look/
xss_terminate/tree/master

Install and forget … as the Readme says. :slight_smile: