Preventing XSS attacks in rails

I have a script that uses the NET::HTTP class to scrape information off
of a website. I take that html and insert it into a database. How do I
escape all tags before inserting into database? Anything similar to
PHP’s mysql_escape_string? Or do I just invoke the h() or sanitize()
functions in the view before displaying the data?

On 5/31/07, hyped [email protected] wrote:

I have a script that uses the NET::HTTP class to scrape information off
of a website. I take that html and insert it into a database. How do I
escape all tags before inserting into database? Anything similar to
PHP’s mysql_escape_string? Or do I just invoke the h() or sanitize()
functions in the view before displaying the data?

I have a white_list helper for this:
http://svn.techno-weenie.net/projects/plugins/white_list/

h() will escape everything and sanitize() misses a lot of edge cases.


Rick O.
http://lighthouseapp.com
http://weblog.techno-weenie.net
http://mephistoblog.com

Hi Rick,

I recently came across a little bug in your plugin. I was eventually
going to file a bug report, but since it was mentioned on the list, I
thought I’d report it here…

The following test fails on the latest svn rev…

def test_closing_tag_regex_should_be_less_greedy
assert_white_listed %(BEFORE
AFTERBOLD!),
%(BEFORE AFTERBOLD!)
end

-christos

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs