If this is a really stupid noob question I apologize in advance, and
appreciate any answers I get from this.
I made a blog with rails, and just finished with the design. Upon
creating my first real post, I realized I couldn’t put links in my
posts. I mean I can write links yes, but what I want to do is this:
So I really have no idea what to do. I googled html filters, url
filters, and url parsers for about an hour before I posted this, so any
information would be helpful. Thanks
Looks to me like you’re running afoul of HTML sanitization. This is
in fact for your (or rather, your users’) protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I’ll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.
Alternately, there are probably some plugins/gems/whatever that will
let your users insert a limited subset of tags, including links…
though of course the targets may contain cross-site-scripting
attacks…
So I really have no idea what to do. I googled html filters, url
filters, and url parsers for about an hour before I posted this, so any
information would be helpful. Thanks
Do you mean that you want the poster to be able to type <a
href="http…> (which is dangerous as Dave has pointed out) or that
you want the poster just to type www.site.com and that you will
automatically turn this into a link (in which case you could use
regular expressions to generate the links)?
I am the only user on the site. Does either option still present a
threat for me?
If you allow people to comment, then their comments must likewise be
sanitized. If you do not, then that is an indirect hazard to you –
allowing common attack vectors like XSS vulnerabilities to go
unaddressed, is hazardous to your professional reputation.
IOW, don’t just do it because of any direct immediate threat to you.
Do it because it’s The Right Thing To Do.
Looks to me like you’re running afoul of HTML sanitization. This is
in fact for your (or rather, your users’) protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I’ll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.
Alternately, there are probably some plugins/gems/whatever that will
let your users insert a limited subset of tags, including links…
though of course the targets may contain cross-site-scripting
attacks…
-Dave
Thanks for your reply!
I am the only user on the site. Does either option still present a
threat for me?