Forum: Ruby on Rails what escape or sanitize functions are out there?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Eb71c362ddeda80c2668d2575e97bc70?d=identicon&s=25 winter heat (winterheat)
on 2009-04-22 17:27
i found the following functions or method to escape HTML, URL params, or
Javascript data:

<%= h @ha %>
<%= sanitize @ha %>
<%= u @ha %>
<%= @ha.to_json %>
<%= strip_tags @ha %>

are they more functions or methods to do these things?

and are there alternative ways to do that?  thanks.
96fc3b82ceb54945fecca2fbdddd85a2?d=identicon&s=25 Py Jay (ppjunty)
on 2009-04-22 23:06
i have been using the xss_terminate plugin:

http://github.com/look/xss_terminate/tree/master

basically it sanitizes values before they are stored in the database:

"Installing the plugin creates a +before_save+ hook that will strip HTML
tags
from all string and text fields. No further configuration is necessary
if this
is what you want. To customize the behavior, you use the +xss_terminate+
class
method."
Eb71c362ddeda80c2668d2575e97bc70?d=identicon&s=25 winter heat (winterheat)
on 2009-04-22 23:10
PP Junty wrote:
> i have been using the xss_terminate plugin:
>
> http://github.com/look/xss_terminate/tree/master
>
> basically it sanitizes values before they are stored in the database:
>
> "Installing the plugin creates a +before_save+ hook that will strip HTML
> tags
> from all string and text fields. No further configuration is necessary
> if this
> is what you want. To customize the behavior, you use the +xss_terminate+
> class
> method."

somebody also suggested replacing all "<" with "< " and seems like it
can be a very rude form of preventing malicious code?  thanks.
This topic is locked and can not be replied to.