Using <a href> in a text field

If this is a really stupid noob question I apologize in advance, and
appreciate any answers I get from this.

I made a blog with rails, and just finished with the design. Upon
creating my first real post, I realized I couldn’t put links in my
posts. I mean I can write links yes, but what I want to do is this:

blah blah blah <a href="http://www.site.com">site</a> blah blah blah

So I really have no idea what to do. I googled html filters, url
filters, and url parsers for about an hour before I posted this, so any
information would be helpful. Thanks :smiley:

On Tue, Aug 17, 2010 at 11:18, Kaspir G. [email protected]
wrote:

I couldn’t put links in my
posts. I mean I can write links yes, but what I want to do is this:

blah blah blah <a href="http://www.site.com">site</a> blah blah blah

Looks to me like you’re running afoul of HTML sanitization. This is
in fact for your (or rather, your users’) protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I’ll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will
let your users insert a limited subset of tags, including links…
though of course the targets may contain cross-site-scripting
attacks…

-Dave


Specialization is for insects. -RAH | Have Pun, Will Babble! -me
Programming Blog: http://codosaur.us | Work: http://davearonson.com
Leadership Blog: http://dare2xl.com | Play: http://davearonson.net

On 17 August 2010 16:18, Kaspir G. [email protected] wrote:

So I really have no idea what to do. I googled html filters, url
filters, and url parsers for about an hour before I posted this, so any
information would be helpful. Thanks :smiley:

Do you mean that you want the poster to be able to type <a
href="http…> (which is dangerous as Dave has pointed out) or that
you want the poster just to type www.site.com and that you will
automatically turn this into a link (in which case you could use
regular expressions to generate the links)?

Colin

On Tue, Aug 17, 2010 at 11:32, Kaspir G. [email protected]
wrote:

I am the only user on the site. Does either option still present a
threat for me?

If you allow people to comment, then their comments must likewise be
sanitized. If you do not, then that is an indirect hazard to you –
allowing common attack vectors like XSS vulnerabilities to go
unaddressed, is hazardous to your professional reputation. :slight_smile:

IOW, don’t just do it because of any direct immediate threat to you.
Do it because it’s The Right Thing To Do.

-Dave


Specialization is for insects. -RAH | Have Pun, Will Babble! -me
Programming Blog: http://codosaur.us | Work: http://davearonson.com
Leadership Blog: http://dare2xl.com | Play: http://davearonson.net

Dave A. wrote:

On Tue, Aug 17, 2010 at 11:18, Kaspir G. [email protected]
wrote:

I couldn’t put links in my
posts. I mean I can write links yes, but what I want to do is this:

blah blah blah <a href="http://www.site.com">site</a> blah blah blah

Looks to me like you’re running afoul of HTML sanitization. This is
in fact for your (or rather, your users’) protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I’ll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will
let your users insert a limited subset of tags, including links…
though of course the targets may contain cross-site-scripting
attacks…

-Dave

Thanks for your reply!

I am the only user on the site. Does either option still present a
threat for me?


Specialization is for insects. -RAH �| Have Pun, Will Babble! -me
Programming Blog: http://codosaur.us | Work: http://davearonson.com
Leadership Blog: �http://dare2xl.com | Play: http://davearonson.net

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs