Forum: Ruby on Rails Partially escape user entered text?

Announcement (2017-05-07): is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see and for other Rails- und Ruby-related community platforms.
Lindsay B. (Guest)
on 2007-02-07 15:12

I have a form where a user can input free text including ampersands,
single and double quotes. When I display the text field, I escape it
using h() to prevent XSS hacks etc. but I want the &, ' and " to be
displayed unescaped. Is there a simple way to do this? The text can
appear in multiple locations on my site, so I really need a global
solution. Should I re-write the h() subroutine and place it in

Lindsay B. (Guest)
on 2007-02-07 15:33
Argh! This only happens if I escape the text more than once...

Alex S. (Guest)
on 2007-02-08 19:43
(Received via mailing list)

We allow html input from users that needs to be redisplayed back to
the user.  I settled on using  It's
the only open source 'package' that I could find.  There's lots of
articles and ideas on the net on how to do it, but I wanted something
I didn't need to maintain.  Just remember that an XSS style attacks is
a never ending battle.  New vulnerabilities are constantly being
discovered, so don't expect this to be a drop in and forget it

Although it's php based, I ended up wrapping it behind an object that
simply shells out and runs a php command line script that takes the
html on stdin and gives back the cleaned html on stdout.


On Feb 7, 5:12 am, Lindsay B. <removed_email_address@domain.invalid>
This topic is locked and can not be replied to.