Prevent HTML input

pankaj · May 9, 2009, 9:21am

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj

pankaj · May 9, 2009, 10:06am

What do you mean by preventing the form from accepting html input? Do
you
want to prevent input while the user is typing, to check it in the
browser
when the user clicks submit and not submit if there is html, or to parse
the
data in the controller after it is submitted and fail validation if
necessary?

Note that the first two of these would not prevent someone posting html
in
the form by manually building the post request rather than using your
form
in a browser.

Colin

2009/5/9 pankaj [email protected]

pankaj · May 9, 2009, 1:05pm

I want to parse the data on the server side after it is submitted and
fail validation if necessary?
Regards,
Pankaj

pankaj · May 9, 2009, 1:41pm

How can this save form function be called for all the params passed?

pankaj · May 9, 2009, 3:45pm

params[:form].each{|k,v| v.gsub!(/<[^>]*>/,‘’) }

pankaj wrote:

end

Regards,
Pankaj
–
===============================================================================
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

–

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

pankaj · May 9, 2009, 1:15pm

hi,

just strip all the html tags, eg

def save_form
params[:form][‘textarea’].gsub!(/<[^>]*>/,‘’)
…
end

but that’s very simple example, you have probably to construct more
sophisticated solution (strip code inside javascripts etc)

tom

pankaj wrote:

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj

–

Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz

pankaj · May 10, 2009, 12:59pm

thanks everyone for your replies.
I want to use the sanitize helper in one central location, so that i
donot have write it for each form.
Regards,
Pankaj

pankaj · May 11, 2009, 3:24am

On 09/05/2009, at 6:05 PM, Colin L. [email protected] wrote:

What do you mean by preventing the form from accepting html input?
Do you want to prevent input while the user is typing, to check it
in the browser when the user clicks submit and not submit if there
is html, or to parse the data in the controller after it is
submitted and fail validation if necessary?

He means is there JavaScript client side validation to save a server
round trip for validation? I reckon that oughta be in rails 3 form
helpers.

Blog: http://random8.zenunit.com/
Learn: http://sensei.zenunit.com/
Twitter: http://twitter.com/random8r

pankaj · May 9, 2009, 5:39pm

I’d also recommend that you use a somewhat more intelligent solution -
take a look at SanitizeHelper, part of ActionView:

There’s a lot of gotchas in trying to clean up user input, so it’s
better if you can use a well-tested solution.

–Matt J.

pankaj · May 11, 2009, 11:27am

Hi Pankaj,

You’d like a look at the XSS Terminate plugin. look (Luke Francl) · GitHub
xss_terminate/tree/master

Install and forget … as the Readme says.