Sanitizing User Input with Ruby on Rails
Posted
by phreakre
on Stack Overflow
See other posts from Stack Overflow
or by phreakre
Published on 2010-05-21T14:48:26Z
Indexed on
2010/05/21
14:50 UTC
Read the original article
Hit count: 208
ruby-on-rails
I'm writing a very simple CRUD app that takes user stories and stores them into a database so another fellow coder can organize them for a project we're both working on. However, I have come across a problem with sanitizing user input before it is saved into the database. I cannot call the sanitize() function from within the Story model to strip out all of the html/scripting. It requires me to do the following:
def sanitize_inputs
self.name = ActionController::Base.helpers.sanitize(self.name) unless self.name.nil?
self.story = ActionController::Base.helpers.sanitize(self.story) unless self.story.nil?
end
I want to validate that the user input has been sanitized and I am unsure of two things: 1) When should the user input validation take place? Before the data is saved is pretty obvious, I think, however, should I be processing this stuff in the Controller, before validation, or some other non-obvious area before I validate that the user input has no scripting/html tags? 2) Writing a unit test for this model, how would I verify that the scripting/html is removed besides comparing "This is a malicious code example" to the sanitize(example) output?
Thanks in advance.
© Stack Overflow or respective owner