Forum: Ruby on Rails Partially escape user entered text?

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Ae03102311939454d2b7f1ca3139fd97?d=identicon&s=25 Lindsay Boyd (Guest)
on 2007-02-07 14:12
Hi,

I have a form where a user can input free text including ampersands,
single and double quotes. When I display the text field, I escape it
using h() to prevent XSS hacks etc. but I want the &, ' and " to be
displayed unescaped. Is there a simple way to do this? The text can
appear in multiple locations on my site, so I really need a global
solution. Should I re-write the h() subroutine and place it in
application.rb?

Lindsay
Ae03102311939454d2b7f1ca3139fd97?d=identicon&s=25 Lindsay Boyd (Guest)
on 2007-02-07 14:33
Argh! This only happens if I escape the text more than once...
h(h(string)).

Lindsay
Ae97ad0da5c7887be291561eb1720093?d=identicon&s=25 Alex Soto (asoto)
on 2007-02-08 18:43
(Received via mailing list)
Hi,

We allow html input from users that needs to be redisplayed back to
the user.  I settled on using http://pixel-apes.com/safehtml/.  It's
the only open source 'package' that I could find.  There's lots of
articles and ideas on the net on how to do it, but I wanted something
I didn't need to maintain.  Just remember that an XSS style attacks is
a never ending battle.  New vulnerabilities are constantly being
discovered, so don't expect this to be a drop in and forget it
solution.

Although it's php based, I ended up wrapping it behind an object that
simply shells out and runs a php command line script that takes the
html on stdin and gives back the cleaned html on stdout.

Alex

On Feb 7, 5:12 am, Lindsay Boyd <rails-mailing-l...@andreas-s.net>
This topic is locked and can not be replied to.