So I’ve googled my brains out, and I see a lot of talk about
TextHelper for views, but next to no discussion about cleaning text
before it is saved.
I figured this had to be asked 4 zillion times, but I’m not finding
Using h is fine as a safety catch, but that alone is not acceptable
to me as the means of diffusing the impact of HTML or JS in text
data. It needs to be removed / tested for in validations for
rejection (and of course it should be wise to all the entity/unicode/
null and other obfuscation tricks)
I did see refc to some tools like whitelist, but again, they’re all
focused on the display side of things.
Obviously I can use validates_format_of for the vast majority of
small fields that can be restricted to known characters which would
preclude an HTML/XSS injection. But there are plenty of larger, free-
text fields where that’s not practical.
I’m surprised there’s no basic validation for this (that I can see),
so I’m hoping that’s because there’s a common technique which
combines some other tool with validations to do this?
What I’m thinking of is something like strip_tags except that it is
usable on the model side of things.
– gw (www.railsdev.ws)