Forum: Ruby on Rails what to use for sanitize?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
093225dffec90d73f5f5685f2db81da0?d=identicon&s=25 Mix Mix (mix)
on 2009-05-12 13:53
(Received via mailing list)
Hi, i'm allowing users to upload html stuff, what can i use to
sanitize it? h() it's not good as it escape everything, and i've found
that the rails sanitize() is too strict, it sanitize also css style
attributes, so users cannot personalize their html... i'd like
something which permit to include code like youtubbbe embedded, css
styles (only inline, not by external link), which strip stuff like
html, head and keep just the body, and all the script tags or btw
everything which could cause xss and other problems... what do you
6883e5ef03484d4fcef507d7b4f1d243?d=identicon&s=25 Matt Jones (Guest)
on 2009-05-12 18:38
(Received via mailing list)
Good luck with that - it's not (in general) possible to do this. Even
if you kill off all the scripting, with some CSS knowledge, a
malicious user could make a fake login page and phish people.

Little things like IE6 and 7's support of javascript in CSS attributes
could also cause trouble...

--Matt Jones
885ac43bca92fc2b1034356f3283e788?d=identicon&s=25 pharrington (Guest)
on 2009-05-12 21:44
(Received via mailing list)
You can customize Rail's builtin sanitation by setting
config.action_view.sanitized_allowed_tags and such in your

config.action_view.sanitized_allowed_tags %w[ list of additional html
tags to allow ]

You can do the similar with
sanitized_allowed_css_properties, and sanitized_allowed_css_keywords.
However, this is 1) fairly inflexible, as it affects the operation of
all sanitize() calls, and 2) sanitize uses Ruby Tokenizer, which is
slow. You might be better off looking into the Hpricot based Sanitize
gem (; however I myself haven't yet
used it, and it looks like its only geared toward HTML so I don't know
if it's able to sanitize css attributes.
This topic is locked and can not be replied to.