Rails core - Aug 2007 - plans for insecure text helpers

Hi!

What are the plans for the insecure text helpers strip_tags,
strip_links and sanitize? See also http://dev.rubyonrails.org/ticket/8877
? The white_list plugin does a good job removing tags on a whitelist
basis, it could be included in the core. Here is a first version of
more secure text helpers, using the white_list plugin. Do I have to
make it a plugin or is there a chance for the core?

module SecureHelper

  include WhiteListHelper

  # TODO sanitize

 
#################################################################################################

  def secure_strip_tags(html, options = {})
    return html if html.blank? || !html.include?(''<'')
    tags = WhiteListHelper.tags
    WhiteListHelper.tags = (options[:whitelist] ?
options[:whitelist] : {})

    if options[:sanitize] then
      block = lambda { |node, bad| node.is_a?(HTML::Tag) ?
node.to_s.gsub(''<'',
''&lt;'').gsub(''>'',
''&gt;'') : node.to_s }
      block = lambda { |node, bad| node.is_a?(HTML::Tag) &&
              options[:blacklist].include?(node.name) ?
node.to_s.gsub(''<'',
''&lt;'').gsub(''>'',
''&gt;'') : node.to_s } if
options[:blacklist]
    else
      block = lambda { |node, bad| node.is_a?(HTML::Tag) ? nil :
node.to_s }
      block = lambda { |node, bad| node.is_a?(HTML::Tag) &&
              options[:blacklist].include?(node.name) ? nil :
node.to_s } if options[:blacklist]
    end

    while html.include?(''<'')
      html_deleted = white_list(html, {}, &block)
      html_deleted == html ? break : html = html_deleted  # because of
single <>
    end

    WhiteListHelper.tags = tags
    return html if options[:blacklist] || options[:whitelist]
    return html
#.gsub(''<'','''').gsub(''>'','''')
  end

 
#################################################################################################

  def secure_strip_links(html)
    secure_strip_tags(html, :blacklist => %w(a href))
  end

 
#################################################################################################

end


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

> What are the plans for the insecure text helpers strip_tags,
> strip_links and sanitize? See also http://dev.rubyonrails.org/ticket/8877
> ? The white_list plugin does a good job removing tags on a whitelist
> basis, it could be included in the core.
I think the best bet for rails 2.0 is to include rick''s whitelist
plugin, and make sanitize call that internally with a sensible default
set of tags.  Strip links could similarly be adapted.

Rick, care to whip something up :)

-- 
Cheers

Koz

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-core-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---