Answering my own question.
As security, in this case, involves the prevention of injected
javascript from executing, I wrote a method to scan for
''script'' tags.
def strip_script_tags( post)
if Nokogiri::HTML( post).css(''script'').empty?
return post
else
return ''<strong><span style=\"color:
#ff0000;\">Contents removed
for security reasons!</span></strong>''
end
end
So instead of h(post.post), I have strip_script_tags(post.post) which
prevents any script tags from being presented to the browser but
allows all the other rich goodness introduced by the YUI editor
through.
(I changed to Nokogiri on the way)
On Sep 3, 8:54 am, Martin Hawkins
<martin.hawk...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:> I''m creating a site that involves a blog, using Rails 2.3.8.
> I''ve used theYUIRich Text Editor to allow posts to be created (the
> blog is for a photo site so images have to be uploaded) and the
> SimpleEditor for posting comments.
>
> In both cases, I''m using Hpricot to parse the html for index and
show
> actions.
>
> I''m concerned about security, as I cannot use h or sanitize on the
> output because if I do I lose the rich text functionality that the
> client wants. But of course that opens the site to attack.
>
> I really need some server side validation. I found some old posts on
> this topic (2006) but the links were broken.
>
> I''m sure other people have faced this problem before. Can anybody
> point me in the direction of something that can help me validate the
> html output so I can sleep better?
> thanks
--
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.