i found the following functions or method to escape HTML, URL params, or
Javascript data:
<%= h @ha %>
<%= sanitize @ha %>
<%= u @ha %>
<%= @ha.to_json %>
<%= strip_tags @ha %>
are they more functions or methods to do these things?
and are there alternative ways to do that? thanks.
i have been using the xss_terminate plugin:
basically it sanitizes values before they are stored in the database:
“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”
PP Junty wrote:
i have been using the xss_terminate plugin:
GitHub - look/xss_terminate: xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won‘t need to anymore.
basically it sanitizes values before they are stored in the database:
“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”
somebody also suggested replacing all “<” with "< " and seems like it
can be a very rude form of preventing malicious code? thanks.