So heres a question : I want to allow text to be added to a website page in such a way that the contents cannot screw up my site, but at the same time some markup is allowed, such as a hyperlink. Problem is lets say on a summary page I trim an entry and in the process a <a> tag is opened then the trimmed version will screw up my site. Even without trimming a careless or malicious user could also screw up the site . Of course the sensible thing to do is use "h" in my rhtml file. But this leaves me the question , how do I get the taggabillity back in . Of course I could forget h and look over all the string myself to ensure all tags are closed or strip them out, but still that seems to be a bit too much work , plus it probably allows the user to much scope to screw up the site by adding code. So assuming I go along with the h method I am left with ... I need to write a small syntax for certain thiings like a link might be [linkname|linkurl] and then I need to use a javascript helper (possibly) to parse the contents and look for my specialised tags and replace appropriately with html links etc. Ok so theres a potential solution , should I go ahead with it , or is there some other approach or method to do this in rails etc? Any suggestions? I know this is a problem that wikis and blogs must solve all the time so i am looking for the best approach rather than hacking away the way I have explained above. _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
You could try BlueCloth templating system http://www.deveiate.org/projects/BlueCloth Regards On 10/26/05, Peter Barry <pbarry-IFekc9qy6S0WhyVFc8JwjA@public.gmane.org> wrote:> > > So heres a question : I want to allow text to be added to a website page > in such a way that the contents cannot screw up my site, but at the same > time some markup is allowed, such as a hyperlink. > > Problem is lets say on a summary page I trim an entry and in the process a > <a> tag is opened then the trimmed version will screw up my site. Even > without trimming a careless or malicious user could also screw up the site . > Of course the sensible thing to do is use "h" in my rhtml file. But this > leaves me the question , how do I get the taggabillity back in . Of course I > could forget h and look over all the string myself to ensure all tags are > closed or strip them out, but still that seems to be a bit too much work , > plus it probably allows the user to much scope to screw up the site by > adding code. > > So assuming I go along with the h method I am left with ... > > I need to write a small syntax for certain thiings like a link might be > [linkname|linkurl] and then I need to use a javascript helper (possibly) to > parse the contents and look for my specialised tags and replace > appropriately with html links etc. > > Ok so theres a potential solution , should I go ahead with it , or is > there some other approach or method to do this in rails etc? Any > suggestions? I know this is a problem that wikis and blogs must solve all > the time so i am looking for the best approach rather than hacking away the > way I have explained above. > > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > > >_______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails
Márcio Francisco wrote:> You could try BlueCloth templating system > http://www.deveiate.org/projects/BlueCloth > RegardsDo this (or RedCloth). The alternative doesn''t really bear thinking about. I know, I''ve been there :-) -- Alex
One alternative does bear thinking about. I''ve also been there (in perl, not in Ruby). Use HTML Tidy - there is a Ruby wrapper, I believe. The approach is quite simple. Wrap up your fragment of (X)HTML in a simple page, pass the page through HTML Tidy. Result: one tidied XHTML document. Then you can: parse the XHTML and walk over your fragment in the document tree for further processing (stripping out all tags that don''t conform to your rules), or skip that and just pull the fragment back out of the page. I have found this has worked pretty reliably in a content management system that has been running for several years, and allowed us to offer a plain HTML input as well as the evil wretched MS HTML control. On 26 Oct 2005, at 12:31, Alex Young wrote:> Márcio Francisco wrote: > > >> You could try BlueCloth templating system >> http://www.deveiate.org/projects/BlueCloth >> Regards >> >> > Do this (or RedCloth). The alternative doesn''t really bear thinking > about. I know, I''ve been there :-) > > -- > Alex > _______________________________________________ > Rails mailing list > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org > http://lists.rubyonrails.org/mailman/listinfo/rails > >
Even after using html tidy and then returning valid html , isnt this still open to some form of injection attacks if not screwing up the page formatting. I mean supposing I parse the dom tree and remove bad code I guess you could solve this, but it seems it would be difficult to forsee all potential errors. I like this solution because it gives you full html control rather than an intermediary limited language but I am wary of it. Maybe I am being to cautious about the security threats. Thanks to all for the suggestions , I am looking into solutions to suit my needs and you have all helped. _______________________________________________ Rails mailing list Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org http://lists.rubyonrails.org/mailman/listinfo/rails