Hi, I have a form where a user can input free text including ampersands, single and double quotes. When I display the text field, I escape it using h() to prevent XSS hacks etc. but I want the &, '' and " to be displayed unescaped. Is there a simple way to do this? The text can appear in multiple locations on my site, so I really need a global solution. Should I re-write the h() subroutine and place it in application.rb? Lindsay -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Argh! This only happens if I escape the text more than once... h(h(string)). Lindsay -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
apsoto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org
2007-Feb-08 17:43 UTC
Re: Partially escape user entered text?
Hi, We allow html input from users that needs to be redisplayed back to the user. I settled on using http://pixel-apes.com/safehtml/. It''s the only open source ''package'' that I could find. There''s lots of articles and ideas on the net on how to do it, but I wanted something I didn''t need to maintain. Just remember that an XSS style attacks is a never ending battle. New vulnerabilities are constantly being discovered, so don''t expect this to be a drop in and forget it solution. Although it''s php based, I ended up wrapping it behind an object that simply shells out and runs a php command line script that takes the html on stdin and gives back the cleaned html on stdout. Alex On Feb 7, 5:12 am, Lindsay Boyd <rails-mailing-l...-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> Hi, > > I have a form where a user can input free text including ampersands, > single and double quotes. When I display the text field, I escape it > using h() to prevent XSS hacks etc. but I want the &, '' and " to be > displayed unescaped. Is there a simple way to do this? The text can > appear in multiple locations on my site, so I really need a global > solution. Should I re-write the h() subroutine and place it in > application.rb? > > Lindsay > > -- > Posted viahttp://www.ruby-forum.com/.--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---