i found the following functions or method to escape HTML, URL params, or
Javascript data:
<%= h @ha %>
<%= sanitize @ha %>
<%= u @ha %>
<%= @ha.to_json %>
<%= strip_tags @ha %>
are they more functions or methods to do these things?
and are there alternative ways to do that? thanks.
i have been using the xss_terminate plugin:
basically it sanitizes values before they are stored in the database:
“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”
PP Junty wrote:
i have been using the xss_terminate plugin:
basically it sanitizes values before they are stored in the database:
“Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method.”
somebody also suggested replacing all “<” with "< " and seems like it
can be a very rude form of preventing malicious code? thanks.
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs