YUI, Hpricot and security

I’m creating a site that involves a blog, using Rails 2.3.8.
I’ve used the YUI Rich Text Editor to allow posts to be created (the
blog is for a photo site so images have to be uploaded) and the
SimpleEditor for posting comments.

In both cases, I’m using Hpricot to parse the html for index and show

I’m concerned about security, as I cannot use h or sanitize on the
output because if I do I lose the rich text functionality that the
client wants. But of course that opens the site to attack.

I really need some server side validation. I found some old posts on
this topic (2006) but the links were broken.

I’m sure other people have faced this problem before. Can anybody
point me in the direction of something that can help me validate the
html output so I can sleep better?

Answering my own question.
As security, in this case, involves the prevention of injected
javascript from executing, I wrote a method to scan for ‘script’ tags.

def strip_script_tags( post)
if Nokogiri::HTML( post).css(‘script’).empty?
return post
return ‘<span style=“color: #ff0000;”>Contents removed
for security reasons!


So instead of h(post.post), I have strip_script_tags(post.post) which
prevents any script tags from being presented to the browser but
allows all the other rich goodness introduced by the YUI editor

(I changed to Nokogiri on the way)

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs