Currently my comments are filtered by the h-command which is fine but I''d like to add some expections to it. Well, I dont need to use the h-command but a system that would allow a few html tags and deny all others would be perfect. Is there such code out there somewhere that I could use? I tried to google around but couldn''t find anything. I also could do the whole thing myself but the regexp bits are a bit too hard. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
RoR newbie wrote:> Currently my comments are filtered by the h-command which is fine but > I''d like to add some expections to it. Well, I dont need to use the > h-command but a system that would allow a few html tags and deny all > others would be perfect. > > Is there such code out there somewhere that I could use? I tried to > google around but couldn''t find anything. I also could do the whole > thing myself but the regexp bits are a bit too hard. > > -- > Posted via http://www.ruby-forum.com/.Instead of h try using sanitize it should escape the bad stuff like script tags --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 6 October 2006 15:58, RoR newbie wrote:> Currently my comments are filtered by the h-command which is fine but > I''d like to add some expections to it. Well, I dont need to use the > h-command but a system that would allow a few html tags and deny all > others would be perfect. > > Is there such code out there somewhere that I could use? I tried to > google around but couldn''t find anything. I also could do the whole > thing myself but the regexp bits are a bit too hard.This concept is called "html white list"... Try googling on it, I''m sure there are some plugins already available for that. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Maxim Kulkin wrote:> On 6 October 2006 15:58, RoR newbie wrote: >> Currently my comments are filtered by the h-command which is fine but >> I''d like to add some expections to it. Well, I dont need to use the >> h-command but a system that would allow a few html tags and deny all >> others would be perfect. >> >> Is there such code out there somewhere that I could use? I tried to >> google around but couldn''t find anything. I also could do the whole >> thing myself but the regexp bits are a bit too hard. > This concept is called "html white list"... Try googling on it, I''m sure > there > are some plugins already available for that.Make sure that whatever HTML white list method you choose, that it also deal with attributes. The Rails Recipe has an HTML whitelist recipe that doesn''t deal with attributes at all, making it unsafe. I could throw in cookie stealing javascript events or style attributes that put in nasty background images. http://fora.pragprog.com/rails-recipes/posts/show/127 That''s one recipe, and my method of making it safe is posted as a comment. -DJCP -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Daniel Collis-puro wrote:> http://fora.pragprog.com/rails-recipes/posts/show/127How can I whitelist attributes with that example and your patch to it? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
RoR newbie wrote:> How can I whitelist attributes with that example and your patch to it?I''ve got a helper method I''m finishing up the Rdoc on. I''ll post a link when it''s ready, probably much later tonight or this weekend. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 10/6/06, Daniel Collis-puro <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > RoR newbie wrote: > > > How can I whitelist attributes with that example and your patch to it? > > I''ve got a helper method I''m finishing up the Rdoc on. I''ll post a link > when it''s ready, probably much later tonight or this weekend. >http://svn.techno-weenie.net/projects/plugins/white_list/ -- Rick Olson http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Rick Olson wrote:> On 10/6/06, Daniel Collis-puro <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: >> >> RoR newbie wrote: >> >> > How can I whitelist attributes with that example and your patch to it? >> >> I''ve got a helper method I''m finishing up the Rdoc on. I''ll post a link >> when it''s ready, probably much later tonight or this weekend. >> > > http://svn.techno-weenie.net/projects/plugins/white_list/ >Ha. That''s funny. Mine is ridiculously similar. Big difference is that I''ve set it up to take allowed tags/attributes as a data structure, allowing you to easily define different tag/attribute profiles for different purposes in one go. I''ll throw it up here anyway. -DJCP -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> Ha. That''s funny. > > Mine is ridiculously similar. Big difference is that I''ve set it up to > take allowed tags/attributes as a data structure, allowing you to easily > define different tag/attribute profiles for different purposes in one > go. > > I''ll throw it up here anyway.I''m seeing the need for that actually. I''m not sure it''s anything I''d have to add support for in my plugin though, I''ll probably just make helpers like white_list_comments that pass in special customizations. -- Rick Olson http://weblog.techno-weenie.net http://mephistoblog.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 10/6/06, Daniel Collis-puro <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > Maxim Kulkin wrote: > > On 6 October 2006 15:58, RoR newbie wrote: > >> Currently my comments are filtered by the h-command which is fine but > >> I''d like to add some expections to it. Well, I dont need to use the > >> h-command but a system that would allow a few html tags and deny all > >> others would be perfect. > >> > >> Is there such code out there somewhere that I could use? I tried to > >> google around but couldn''t find anything. I also could do the whole > >> thing myself but the regexp bits are a bit too hard. > > This concept is called "html white list"... Try googling on it, I''m sure > > there > > are some plugins already available for that. > > Make sure that whatever HTML white list method you choose, that it also > deal with attributes. The Rails Recipe has an HTML whitelist recipe that > doesn''t deal with attributes at all, making it unsafe. I could throw in > cookie stealing javascript events or style attributes that put in nasty > background images. > > http://fora.pragprog.com/rails-recipes/posts/show/127 > > That''s one recipe, and my method of making it safe is posted as a > comment. > > -DJCPI would recommend contacting the author to have this included in the next edition. -Conrad> -- > Posted via http://www.ruby-forum.com/. > > --~--~---------~--~----~------------~-------~--~----~ > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > To unsubscribe from this group, send email to > rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org > For more options, visit this group at > http://groups.google.com/group/rubyonrails-talk >~----------~----~----~----~------~----~------~--~---> >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Rick Olson wrote:> > I''m seeing the need for that actually. I''m not sure it''s anything I''d > have to add support for in my plugin though, I''ll probably just make > helpers like white_list_comments that pass in special customizations. >Here it is. http://www.kookdujour.com/blog/details/11 Keep in mind I just picked up Ruby and Rails mid-August, so forgive me if you see me baby-talking in my code. Just think "aww... that''s so cute! He''s learning to talk like big people do!" You can test it out interactively with the default profile at http://www.kookdujour.com/filter_test . I''ve attempted to make the Rdoc as clear as possible, but generally I''m pretty happy with the flexibility this helper provides in terms of making output "safe". The way I''ll use it is to define different "tag profiles" as constants in my models, then pass those tag profiles to "unsafe" HTML right before display. Because the profile is a data structure, one could build a more interactive way of defining what tags/attributes are allowed to who. Feedback is GREATLY appreciated. -DJCP -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I''m having hard time trying to call this from the model. (it can''t be included and can''t be called as static function as well) I think the :attributes clashes with AR. Is there any reason this is not done while saving to the model (database), so the call happens only when saving not on every view request? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Sorry, forgot to mention that I''m referring to the white_list plugin. Reynard wrote:> I''m having hard time trying to call this from the model. (it can''t be > included and can''t be called as static function as well) I think the > :attributes clashes with AR. > Is there any reason this is not done while saving to the model > (database), so the call happens only when saving not on every view > request?--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Reynard wrote:> I''m having hard time trying to call this from the model. (it can''t be > included and can''t be called as static function as well) I think the > :attributes clashes with AR. > Is there any reason this is not done while saving to the model > (database), so the call happens only when saving not on every view > request?Yes. I don''t like molesting user input. And you may find that you want to change rendering policies down the road, so it''s better to have the raw input available or you won''t be able to. If you''re going to let people edit stuff they create and you render on save, then you''ll be forcing them to edit text different than what they actually entered. Unless you set up two fields - one to hold the "raw" input and another to hold the "rendered" input. But I don''t think it''s worth it. If you''re using fragment (or other) rails caching on your rendered output (you probably should, depending on your app) then the overhead of the render on each view should be negligble. -DJCP -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Makes sense enough :) thanks for the input and the code contribution! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---