What escape or sanitize functions are out there?


#1

i found the following functions or method to escape HTML, URL params, or
Javascript data:

<%= h @ha %>
<%= sanitize @ha %>
<%= u @ha %>
<%= @ha.to_json %>
<%= strip_tags @ha %>

are they more functions or methods to do these things?

and are there alternative ways to do that? thanks.


#2

i have been using the xss_terminate plugin:

http://github.com/look/xss_terminate/tree/master

basically it sanitizes values before they are stored in the database:

“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”


#3

PP Junty wrote:

i have been using the xss_terminate plugin:

http://github.com/look/xss_terminate/tree/master

basically it sanitizes values before they are stored in the database:

“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”

somebody also suggested replacing all “<” with "< " and seems like it
can be a very rude form of preventing malicious code? thanks.