Rails3 and safe nl2br !
Posted
by arkannia
on Stack Overflow
See other posts from Stack Overflow
or by arkannia
Published on 2010-05-16T15:50:20Z
Indexed on
2010/05/16
16:30 UTC
Read the original article
Hit count: 255
ruby-on-rails3
|rails3
Hi,
I have a system for the users to be able to post comments.
The comments are grasped into a textarea.
My problem is to format the comments with br tag to replace \n
In fact, i could do something like that
s.gsub(/\n/, '<br />')
But the xss protection including in rails escapes br tags.
So i could do this
s.gsub(/\n/, '<br />').html_safe
But then, all the tags are accepted even script.... causing a big security problem
So my question is : how to format text with br safely ?
Thanks
EDIT: For now, i have add this
def sanitaze
self.gsub(/(<.*?>)/, '')
end
def nl2br
self.sanitaze.gsub(/\n/, '<br />').html_safe
end
© Stack Overflow or respective owner