Sanitize: Is it a bug?

Hi, i was trying something to upload using an area text which the data
will be shown as html using the sanitize method.
Everything ok, about scripts, but when i tried it
escaped the <
Why this? Is it a bug of sanitize? I knew that an html comment it’s just
a comment, so why escape it? And if it isn’t a bug, is it possible to
don’t escape the < ? Or is it safer to escape it? why?
Thanks

Mix M. wrote:

Hi, i was trying something to upload using an area text which the data
will be shown as html using the sanitize method.
Everything ok, about scripts, but when i tried it
escaped the <
Why this? Is it a bug of sanitize? I knew that an html comment it’s just
a comment, so why escape it? And if it isn’t a bug, is it possible to
don’t escape the < ? Or is it safer to escape it? why?

sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.

It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.


Roderick van Domburg
http://www.nedforce.com

Roderick van Domburg wrote:

sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.

It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.


Roderick van Domburg
http://www.nedforce.com

Mmm…ok, and what if i want to hide that comments? Is it possible to
add to sanitize the rule to skip them?
In the api there is this: You can modify what gets sanitized by defining
VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded.
And nothing else…

Mix M. wrote:

Roderick van Domburg wrote:

sanitize doesn’t know about HTML semantics or tags. It just knows about
HTML characters, and so it happily goes about encoding your lesser-than
sign.

It’s proper behavior too, because you generally don’t want people to
embed hidden HTML. You want to output everything they put into that
textarea.

Mmm…ok, and what if i want to hide that comments? Is it possible to
add to sanitize the rule to skip them?
In the api there is this: You can modify what gets sanitized by defining
VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded.
And nothing else…

No, sanitize can’t do that for you. You’d need to write a custom
sanitizer, splitting the input, keeping your comments, and sanitizing
the rest possibly using Rails’ default sanitizer.


Roderick van Domburg
http://www.nedforce.com

Roderick van Domburg wrote:

No, sanitize can’t do that for you. You’d need to write a custom
sanitizer, splitting the input, keeping your comments, and sanitizing
the rest possibly using Rails’ default sanitizer.


Roderick van Domburg
http://www.nedforce.com

mmm… ok, so i think that it’s better to do something directly in the
model like

def before_save
self.text = self.text.gbus(//, ‘’)
end

it should work… :slight_smile:

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs