I''m making a messaging application and am wondering if there''s a way to do HTML sanitization in the model instead of in the view. My application accepts a message from the user, which must then be sanitized before it''s posted. I know that I can do <%=h %> in the view, or use sanitize(), but I would like to do it before the record is even saved as I figured it''s better to fix the problem right at the beginning. Is there a way to do the equivalent of =h in a Model? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mon, 2007-10-15 at 19:22 +0200, Christopher Berner wrote:> I''m making a messaging application and am wondering if there''s a way to > do HTML sanitization in the model instead of in the view. My application > accepts a message from the user, which must then be sanitized before > it''s posted. I know that I can do <%=h %> in the view, or use > sanitize(), but I would like to do it before the record is even saved as > I figured it''s better to fix the problem right at the beginning. Is > there a way to do the equivalent of =h in a Model?h() is just "html string".gsub(''&'', ''&'').gsub(''<'', ''<'').gsub(''>'', ''>'').gsub(''"'', ''"'') Although I would actually stick to using <%=h instead of putting sanitised data in the database.. What if you change your mind about sanitising, or want to display data differently based on the type of user (html for admin, h-ed for everyone else)? -- Tore Darell toredarell-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org Trondheim, NO http://tore.darell.no/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
This plugin http://www.railslodge.com/plugins/112-text-formatter should do what you require. Christopher Berner wrote:> I''m making a messaging application and am wondering if there''s a way to > do HTML sanitization in the model instead of in the view. My application > accepts a message from the user, which must then be sanitized before > it''s posted. I know that I can do <%=h %> in the view, or use > sanitize(), but I would like to do it before the record is even saved as > I figured it''s better to fix the problem right at the beginning. Is > there a way to do the equivalent of =h in a Model?-- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Two points: Remember to sanitize EVERYTHING, either when you store it (by disallowing certain characters, say in a username) or when you display it (using h(), <%=h ... %> or whatever you choose.) I personally use a script that will disallow <script> tags, and Javascript URIs in links, etc. It uses an allow list, not a disallow list, so new exploits should be detected more easily than with a filter. --Michael --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks for the suggestions. I just discovered the CGI.escapeHTML() function. Would that be a workable alternative to writing my own function or using the plug in listed above? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I suggest you take a peek at: http://golem.ph.utexas.edu/~distler/blog/archives/001181.html --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Christopher Berner wrote:> Thanks for the suggestions. I just discovered the CGI.escapeHTML() > function. Would that be a workable alternative to writing my own > function or using the plug in listed above?chris - precisely. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Shai Rosenfeld wrote:> Christopher Berner wrote: >> Thanks for the suggestions. I just discovered the CGI.escapeHTML() >> function. Would that be a workable alternative to writing my own >> function or using the plug in listed above? > > chris - > > precisely.i did the exact same thing, saving the title in an before_save call: before_save :securetitle def securetitle self.title = CGI.escapeHTML(self.title) end -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
class Article < ActiveRecord::Base
include ActionView::Helpers::SanitizeHelper
def before_create
self.description = sanitize(self.description)
end
end
That''s how I do it. This will be using Rails 2.0''s whitelist
sanitize helper.
On 10/15/07, Christopher Berner
<rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org>
wrote:>
> I''m making a messaging application and am wondering if
there''s a way to
> do HTML sanitization in the model instead of in the view. My application
> accepts a message from the user, which must then be sanitized before
> it''s posted. I know that I can do <%=h %> in the view, or
use
> sanitize(), but I would like to do it before the record is even saved as
> I figured it''s better to fix the problem right at the beginning.
Is
> there a way to do the equivalent of =h in a Model?
> --
> Posted via http://www.ruby-forum.com/.
>
> >
>
--
Cheers!
- Pratik
http://m.onkey.org
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---