Sanitizing HTML in a model?

I’m making a messaging application and am wondering if there’s a way to
do HTML sanitization in the model instead of in the view. My application
accepts a message from the user, which must then be sanitized before
it’s posted. I know that I can do <%=h %> in the view, or use
sanitize(), but I would like to do it before the record is even saved as
I figured it’s better to fix the problem right at the beginning. Is
there a way to do the equivalent of =h in a Model?

On Mon, 2007-10-15 at 19:22 +0200, Christopher B. wrote:

I’m making a messaging application and am wondering if there’s a way to
do HTML sanitization in the model instead of in the view. My application
accepts a message from the user, which must then be sanitized before
it’s posted. I know that I can do <%=h %> in the view, or use
sanitize(), but I would like to do it before the record is even saved as
I figured it’s better to fix the problem right at the beginning. Is
there a way to do the equivalent of =h in a Model?

h() is just “html string”.gsub(’&’, ‘&’).gsub(’<’, ‘<’).gsub(’>’,
‘>’).gsub(’"’, ‘"’)

Although I would actually stick to using <%=h instead of putting
sanitised data in the database… What if you change your mind about
sanitising, or want to display data differently based on the type of
user (html for admin, h-ed for everyone else)?


Tore D.
[email protected]
Trondheim, NO
http://tore.darell.no/

This plugin http://www.railslodge.com/plugins/112-text-formatter should
do what you require.

Christopher B. wrote:

I’m making a messaging application and am wondering if there’s a way to
do HTML sanitization in the model instead of in the view. My application
accepts a message from the user, which must then be sanitized before
it’s posted. I know that I can do <%=h %> in the view, or use
sanitize(), but I would like to do it before the record is even saved as
I figured it’s better to fix the problem right at the beginning. Is
there a way to do the equivalent of =h in a Model?

Two points:

Remember to sanitize EVERYTHING, either when you store it (by
disallowing certain characters, say in a username) or when you display
it (using h(), <%=h … %> or whatever you choose.)

I personally use a script that will disallow tags, and
Javascript URIs in links, etc. It uses an allow list, not a disallow
list, so new exploits should be detected more easily than with a
filter.

–Michael

I suggest you take a peek at:

http://golem.ph.utexas.edu/~distler/blog/archives/001181.html

Thanks for the suggestions. I just discovered the CGI.escapeHTML()
function. Would that be a workable alternative to writing my own
function or using the plug in listed above?

Christopher B. wrote:

Thanks for the suggestions. I just discovered the CGI.escapeHTML()
function. Would that be a workable alternative to writing my own
function or using the plug in listed above?

chris -

precisely.

Shai R. wrote:

Christopher B. wrote:

Thanks for the suggestions. I just discovered the CGI.escapeHTML()
function. Would that be a workable alternative to writing my own
function or using the plug in listed above?

chris -

precisely.

i did the exact same thing, saving the title in an before_save call:

    before_save :securetitle

    def securetitle
            self.title = CGI.escapeHTML(self.title)
    end

class Article < ActiveRecord::Base
include ActionView::Helpers::SanitizeHelper

def before_create
self.description = sanitize(self.description)
end
end

That’s how I do it. This will be using Rails 2.0’s whitelist sanitize
helper.

On 10/15/07, Christopher B. [email protected]
wrote:


Cheers!

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs