Hi, i wan''t to permit users to send their own content, text, html, and stuff like that. It should also be permit them to send their own design, using div, span, internal style attributes and so on. Obviously i''d like to protect everything forbidding javascript, but permitting object and embedded (for youtube, gvideo, etc). From a previous post the suggestion was wonko/sanitize: http://www.ruby-forum.com/topic/186697 But i''ve not found time to try it yet. Btw, my question now is another, how can i remove external links, but keeping the text link and internal links? I mean, if a user insert "<a href="http://externaldomain.com">my site</a>" it should be sanitized to just "my site", instead if he insert "<a href="http://domain.com">read this page</a>" it should keep it as it is (domain.com is "whitelisted"). And it also should remove others like mailto:, ftp:, etc (just keep http and https) Any hint about this ? (considering the first lines about styles, and which sanitezer to use) thank you -- Posted via http://www.ruby-forum.com/.
Take a look at: http://guides.rubyonrails.org/security.html and then look at what you''re trying to provide. Is it really worth the risk? A compromise might be http://redcloth.org/ a Textile to Ruby module On Jun 29, 5:59 pm, Xdmx Xdmx <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hi, i wan''t to permit users to send their own content, text, html, and > stuff like that. It should also be permit them to send their own design, > using div, span, internal style attributes and so on. Obviously i''d like > to protect everything forbidding javascript, but permitting object and > embedded (for youtube, gvideo, etc). > From a previous post the suggestion was wonko/sanitize:http://www.ruby-forum.com/topic/186697 > But i''ve not found time to try it yet. > Btw, my question now is another, how can i remove external links, but > keeping the text link and internal links? > I mean, if a user insert "<a href="http://externaldomain.com">my > site</a>" it should be sanitized to just "my site", instead if he insert > "<a href="http://domain.com">read this page</a>" it should keep it as it > is (domain.com is "whitelisted"). And it also should remove others like > mailto:, ftp:, etc (just keep http and https) > Any hint about this ? (considering the first lines about styles, and > which sanitezer to use) > thank you > -- > Posted viahttp://www.ruby-forum.com/.
Hi AGoofin, unfortunatly i now the risks to allow such tags and attributes, but it''s a requirement of the system, and textile (or similar) aren''t so powerful (you can''t create templates like you do with css and divs) Do you have any hint about the link escaper? -- Posted via http://www.ruby-forum.com/.
Xdmx Xdmx wrote:> From a previous post the suggestion was wonko/sanitize: > http://www.ruby-forum.com/topic/186697http://wonko.com/post/sanitize> But i''ve not found time to try it yet.This looks exactly like what you need. Why are you asking again if you have a recommendation for something that you haven''t even tried? -- Posted via http://www.ruby-forum.com/.
On Jun 29, 5:59 pm, Xdmx Xdmx <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hi, i wan''t to permit users to send their own content, text, html, and > stuff like that. It should also be permit them to send their own design, > using div, span, internal style attributes and so on. Obviously i''d like > to protect everything forbidding javascript, but permitting object and > embedded (for youtube, gvideo, etc). > From a previous post the suggestion was wonko/sanitize:http://www.ruby-forum.com/topic/186697 > But i''ve not found time to try it yet. > Btw, my question now is another, how can i remove external links, but > keeping the text link and internal links? > I mean, if a user insert "<a href="http://externaldomain.com">my > site</a>" it should be sanitized to just "my site", instead if he insert > "<a href="http://domain.com">read this page</a>" it should keep it as it > is (domain.com is "whitelisted"). And it also should remove others like > mailto:, ftp:, etc (just keep http and https) > Any hint about this ? (considering the first lines about styles, and > which sanitezer to use) > thank you > -- > Posted viahttp://www.ruby-forum.com/.even without Sanitizer, this seems fairly trivial: irb(main):017:0> links = "<a href=''http://FACE.com''>click here for your FACE</a><br /><a href=''http://whitelisted.com''>this domain is allowed</a>" irb(main):018:0> allowed = "http://whitelisted.com" irb(main):019:0> doc = Hpricot links irb(main):020:0> (doc/"//a").each { |tag| tag.swap(tag.inner_text) unless tag[:href] == allowed } href="http://whitelisted.com"> "this domain is allowed" </a>}]> irb(main):021:0> doc.to_s => "click here for your FACE<br /><a href=\"http://whitelisted.com \">this domain is allowed</a>"
pharrington wrote:> even without Sanitizer, this seems fairly trivial: > > irb(main):017:0> links = "<a href=''http://FACE.com''>click here for > your FACE</a><br /><a href=''http://whitelisted.com''>this domain is > allowed</a>" > irb(main):018:0> allowed = "http://whitelisted.com" > irb(main):019:0> doc = Hpricot links > irb(main):020:0> (doc/"//a").each { |tag| tag.swap(tag.inner_text) > unless tag[:href] == allowed } > href="http://whitelisted.com"> "this domain is allowed" </a>}]> > irb(main):021:0> doc.to_s > => "click here for your FACE<br /><a href=\"http://whitelisted.com > \">this domain is allowed</a>"Hi, i''m trying this solution, but i''ve found that when links = ''<a href="test"><img src="url" /></a>'' hpricot dies with "The error occurred while evaluating nil.parent=" when it should return just the image: ''<img src="url" />'' Any idea on how solve this? I''ve also changed it with a regex: (doc/"//a").each { |tag| tag.swap(tag.inner_text) unless tag[:href] =~ /http[s]{0,1}:\/\/[-A-Za-z0-9_.]*domain.com.*/i } in order to accept www.domain.com, domain.com, sub.domain.com, etc... (i just need to optimize that regex telling that it''s needed a dot when there is something before.. in order to accept www.domain.com, domain.com, but deny anotherdomain.com) thank you -- Posted via http://www.ruby-forum.com/.