Rails3 and safe nl2br !

Posted by arkannia on Stack Overflow See other posts from Stack Overflow or by arkannia
Published on 2010-05-16T15:50:20Z Indexed on 2010/05/16 16:30 UTC
Read the original article Hit count: 255

Filed under:
|

Hi,

I have a system for the users to be able to post comments.

The comments are grasped into a textarea.

My problem is to format the comments with br tag to replace \n

In fact, i could do something like that

s.gsub(/\n/, '<br />')

But the xss protection including in rails escapes br tags.

So i could do this

s.gsub(/\n/, '<br />').html_safe

But then, all the tags are accepted even script.... causing a big security problem

So my question is : how to format text with br safely ?

Thanks

EDIT: For now, i have add this

  def sanitaze
    self.gsub(/(<.*?>)/, '')
  end

  def nl2br
    self.sanitaze.gsub(/\n/, '<br />').html_safe
  end

© Stack Overflow or respective owner

Related posts about ruby-on-rails3

Related posts about rails3