Rails has always had ways to sanitize the display of data and since 2.x
there is even white-listing included. However, I think most of the time
it gets the wrong end of things when user-provided data is sanitized on
display. The unsanitary parts shouldn’t have been allowed in from the
The right point, in my opinion, is in (or before) a controller’s #create
and #update actions; not in the model, as I might want to allow the
backend to insert data that a user couldn’t.
Before I whip up my own solution, I’ve looked for plugins doing this,
but didn’t find any. Is there already relevant code floating around?
When you sanitize, you assume that the data will be rendered in browser,
because sanitization is all about removing things that may be harmful in
that rendering environment.
If you ever plan on offering other ways to render your data (say, for
example, via an API to your service), then your pre-storage sanitization
has not made anything safer, and has in fact caused data loss. On top
of that, you have to sanitize again, to make the data safe for rendering
in XML, JSON, or whatever other output formats your API may offer.
So pre-storage sanitization is, generally speaking, a Bad Idea™.
It’s a philosophical debate, of course, but that’s where I stand on it.
This is crap! Someone who deliberately inserts malicious code into data
does not deserve to see his data saved in the correct way.
Sanitization must happen before data gets saved into the DB. Maybe
someday you will forget to escape a field, and BOOOM it blows all over