Sanitizing input for display in view when using simple_format

Posted by Eric on Stack Overflow See other posts from Stack Overflow or by Eric
Published on 2010-03-14T01:49:46Z Indexed on 2010/03/14 1:55 UTC
Read the original article Hit count: 378

Filed under:

rails

|

sanitization

|

xss

|

html-sanitizing

|

views

Hi,

I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the simple_format and auto_link methods.

What I am now doing is: simple_format(santize(auto_link(comment.text)))

Is this the right way to do this, and is it still safe from XSS attacks?

Thanks! Eric

© Stack Overflow or respective owner

Related posts about rails

Ruby on Rails: url_for :back leads to NoMethodError for back_url

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi all, I'm trying to use url_for(:back) to create a redirect leading back to a previous page upon a user's logging in. I've had it working successfully for when the user just goes to the login page on his or her own. However, when the user is redirected to the login page due to accessing a page… >>> More
Why am I getting "ArgumentError: wrong number of arguments (1 for 0)" when running my rails function

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm stumped on what's causing this. I get this error and stack trace in all my functional tests where I call 'post'. Here is the full stack trace: 7) Error: test_should_validate(UsersControllerTest): ArgumentError: wrong number of arguments (1 for 0) /Users/hisham/src/rails/ftuBackend/vendor/rails/actionpack/lib/action_controller/routing/route… >>> More
Spork servers super slow (>3m) to start for RSpec & Cucumber BDD

as seen on Stack Overflow - Search for 'Stack Overflow'
I recently installed a fresh development setup on my laptop and now notice that my instances of spork take several minutes to start up. This is also most likely of the RSpec and Cucumber tests start up times running super slow. I ran in diagnostic mode with the -d flag and received the output below… >>> More
trying to convert rails 2.3.4 app to rails 3 but views not appearing

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a simple rails 2.3.4 application I am trying to get running with rails 3.0.0-beta2. I have the server running and all my links and navigation showing, however for some reason the content of my views is not displaying. When I navigate to Site/index the html in my index.html.erb in my site… >>> More
Create new Rails project with previews rails version

as seen on Stack Overflow - Search for 'Stack Overflow'
Hello, The latest version of rails installed on my mac is 3.0.0.beta gem list returns rails (3.0.0.beta, 2.3.5, 2.3.4, 2.3.2, 2.2.2, 1.2.6) I want to create a new project using version 2.3.5 So I run: rails _2.3.5_ myProject But it returns the following error $ rails _2.3.5_ photosbackup /Library/Ruby/Site/1… >>> More

Related posts about sanitization

Skip sanitization for videos in html5lib

as seen on Stack Overflow - Search for 'Stack Overflow'
I am using a wmd-editor in django, much like this one in which I am typing. I would like to allow the users to embed videos in it. For that I am using the Markdown video extension here. The problem is that I am also sanitizing user input using html5lib sanitization and it doesn't allow object tags… >>> More
Is there a PHP library that performs MySQL Data Validation and Sanitization According to Column Type

as seen on Stack Overflow - Search for 'Stack Overflow'
Do you know of any open source library or framework that can perform some basic validation and escaping functionality for a MySQL Db. i envisage something along the lines of: //give it something to perform the quote() quoteInto() methods $lib->setSanitizor($MyZend_DBAdaptor); //tell it structure… >>> More
PHP preg_replace() pattern, string sanitization.

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a regex email pattern and would like to strip all but pattern-matched characters from the string, in a short I want to sanitize string... I'm not a regex guru, so what I'm missing in regex? <?php $pattern = "/^([\w\!\#$\%\&\'\*\+\-\/\=\?\^\`{\|\}\~]+\.)*[\w\!\#$\%\&\'\*\+\-\/\=\… >>> More
Explanation of this SQL sanitization code

as seen on Stack Overflow - Search for 'Stack Overflow'
I got this from for a login form tutorial: function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } Could some one explain exactly what this does? I know that the… >>> More
Are these two functions overkill for sanitization?

as seen on Stack Overflow - Search for 'Stack Overflow'
function sanitizeString($var) { $var = stripslashes($var); $var = htmlentities($var); $var = strip_tags($var); return $var; } function sanitizeMySQL($var) { $var = mysql_real_escape_string($var); $var = sanitizeString($var); return $var; } I got these two functions from… >>> More