Rails3 and safe nl2br !

Posted by arkannia on Stack Overflow See other posts from Stack Overflow or by arkannia
Published on 2010-05-16T15:50:20Z Indexed on 2010/05/16 16:30 UTC
Read the original article Hit count: 252

Filed under:

ruby-on-rails3

|

rails3

Hi,

I have a system for the users to be able to post comments.

The comments are grasped into a textarea.

My problem is to format the comments with br tag to replace \n

In fact, i could do something like that

s.gsub(/\n/, '<br />')

But the xss protection including in rails escapes br tags.

So i could do this

s.gsub(/\n/, '<br />').html_safe

But then, all the tags are accepted even script.... causing a big security problem

So my question is : how to format text with br safely ?

Thanks

EDIT: For now, i have add this

  def sanitaze
    self.gsub(/(<.*?>)/, '')
  end

  def nl2br
    self.sanitaze.gsub(/\n/, '<br />').html_safe
  end

© Stack Overflow or respective owner

Related posts about ruby-on-rails3

ruby-on-rails3, and select distinct using activereccord3

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi, Some methods have been deprecated with Rails3. It is the case in particular with the following call ! Error.find(:all, :select => 'DISTINCT type') Is anybody have an idea, how to convert this call to an ActiveRecord3 valid statement ? I found nothing on the web ... Thanks >>> More
Rails3 server and bundler error: uninitialized constant Bundler (NameError)

as seen on Stack Overflow - Search for 'Stack Overflow'
I just install rails 3 and all gems that it need, but when I try to start server, it says about problem in boot script. [rap-kasta@acerAspire testR3]$ script/rails server /home/rap-kasta/tmp/testR3/config/boot.rb:7:in `rescue in <top (required)>': uninitialized constant Bundler (NameError)… >>> More
How to set ActiveModel::Base.include_root_in_json to false?

as seen on Stack Overflow - Search for 'Stack Overflow'
I'm using Rails 3 w/ Mongoid, (so no ActiveRecord). Mongoid uses ActiveModel's "to_json" method, and by default that method includes the root object in the JSON (which I don't want). I've tried putting this in an initializer: ActiveModel::Base.include_root_in_json = false But get the error uninitialized… >>> More
No such file to load bundler error for Rails 3

as seen on Stack Overflow - Search for 'Stack Overflow'
I have a Rails 3 app ready for staging. I haven't got a VPS host set up yet. As I was planning to have everything on shared host for the first few months. Problem: cd myapp bundle check result: The Gemfile's dependencies are satisfied Passenger error: Error message: no such file to load… >>> More
How to test Rails 3 Engines with Cucumber & Rspec?

as seen on Stack Overflow - Search for 'Stack Overflow'
I apologize if this question is slightly subjective... I am trying to figure out the best way to test Rails 3 Engines with Cucumber & Rspec. In order to test the engine a rails 3 app is necessary. Here is what I am currently doing: Add a rails test app to the root of the gem (myengine) by… >>> More

Related posts about rails3

Rspec2, Rails3, Authlogic: Can't run specs

as seen on Stack Overflow - Search for 'Stack Overflow'
When I do rspec spec in my rails project, I get No examples were matched. Perhaps {:if=>#<Proc:0x0000010126e998@/Users/samliu/.rvm/gems/ruby-1.9.2-p0@rails3/gems/rspec-core-2.3.1/lib/rspec/core/configuration.rb:50 (lambda)>, :unless=>#<Proc:0x0000010126e970@/Users/samliu/.rvm/gems/ruby-1… >>> More
mongomapper, rails3 edge: undefined method `to_key' on form_for

as seen on Stack Overflow - Search for 'Stack Overflow'
when i am trying to get the basic devise examples running with current git versions from rails, mongomapper and devise, i have the following error appearing: undefined method `to_key' for #<Admin:0x23dee04> here is my actual source: 4: = form_for @admin, :url => admins_path do |f| 5:… >>> More
searching for a guide how to setup mongo_mapper, devise, haml with rails3

as seen on Stack Overflow - Search for 'Stack Overflow'
is there a full setup guide for mongo_mapper, haml, rails3 and devise, for the current git (master) branches? a lot of things changed in all of those frameworks/libs lately. i was wondering if somebody has it up and running and can share it on github or give some pointers... >>> More
When -exactly- does the Rails3 application get initialized?

as seen on Stack Overflow - Search for 'Stack Overflow'
I've been fighting left and right with rails 3 and bundler. There are a few gems out there that don't work properly if the rails application hasn't been loaded yet. factory_girl and shoulda are both examples, even on the rails3 branch. Taking shoulda as an example, when trying to run rake test:units… >>> More
RSpec test failing looking for a new set of eyes

as seen on Stack Overflow - Search for 'Stack Overflow'
Guys, Here my issuse: I've got two models: class User < ActiveRecord::Base # Setup accessible (or protected) attributes for your model attr_accessible :email, :username has_many :tasks end class Task < ActiveRecord::Base belongs_to :user end with this simple routes.rb file TestProj::Application… >>> More