I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called from inside a model. So what would be an elegant way to do this? Stuffing this inside the controller seems awkward (and I would have to put it in several places). Any thoughts? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Peter De Berdt
2008-Feb-01 10:39 UTC
Re: How to sanitize _before_ going into the database?
On 01 Feb 2008, at 11:17, Fjan wrote:> I use a call to the sanitize method every time I render some user > input, but it would be much nicer if I could clean it up once before > putting it into the database and avoid having to call the (relatively > expensive) sanitize every time I render a page. > > My first thought was to just add something like: > > def message=(x) > self[:message]=sanitize(x) > end > > However, the sanitize helper cannot be called from inside a model. So > what would be an elegant way to do this? Stuffing this inside the > controller seems awkward (and I would have to put it in several > places). > > Any thoughts?Although I''m against destructive actions on user entered data (if you sanitize before saving, you can never recover what the user initially entered), there''s a plugin that does just that: http://agilewebdevelopment.com/plugins/acts_as_sanitized If you want to do it automatically so you don''t have to call h or sanitize in your views, you could use xss_terminate: http://agilewebdevelopment.com/plugins/xss_terminate You could have easily found this yourself by having a quick search at the agilewebdevelopment site: http://agilewebdevelopment.com/plugins/search?search=sanitize Best regards Peter De Berdt --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thank you, I actually did stumble onto the two you mentioned after writing my original post. But it seems acts_as_sanitized is no longer maintained and xss_terminate is too destructive for my purpose as it includes itself in base and strips out everything everywhere unless you tell it not to. I have a lot of models I would need to go over and I agree I''m also against destructive actions on user entered data except for the few cases where it would be a real performance boost. Instead of installing all kinds of plugins, would there be any problem in simply doing this inside a model: include ActionView::Helpers::SanitizeHelper def message=(x) self[:message]=sanitize(x) end On Feb 1, 11:39 am, Peter De Berdt <peter.de.be...-LPO8gxj9N8aZIoH1IeqzKA@public.gmane.org> wrote:> On 01 Feb 2008, at 11:17, Fjan wrote: > > > > > I use a call to the sanitize method every time I render some user > > input, but it would be much nicer if I could clean it up once before > > putting it into the database and avoid having to call the (relatively > > expensive) sanitize every time I render a page. > > > My first thought was to just add something like: > > > def message=(x) > > self[:message]=sanitize(x) > > end > > > However, the sanitize helper cannot be called from inside a model. So > > what would be an elegant way to do this? Stuffing this inside the > > controller seems awkward (and I would have to put it in several > > places). > > > Any thoughts? > > Although I''m against destructive actions on user entered data (if you > sanitize before saving, you can never recover what the user initially > entered), there''s a plugin that does just that:http://agilewebdevelopment.com/plugins/acts_as_sanitized > > If you want to do it automatically so you don''t have to call h or > sanitize in your views, you could use xss_terminate:http://agilewebdevelopment.com/plugins/xss_terminate > > You could have easily found this yourself by having a quick search at > the agilewebdevelopment site:http://agilewebdevelopment.com/plugins/search?search=sanitize > > Best regards > > Peter De Berdt--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
If you''re willing to add fields to your model, you can get around the destructive action issue simply by storing the original input along with the sanitized version. Use the unsanitized field in "edit" forms and display the sanitized field in "show" views. Use a before_save callback to do the sanitizing during any edit. So for instance, to clean up user input for a Comment model, have both comment_text and comment_html fields, then run comment_text through RedCloth (if you''re using textile), white_list (to clip out nasty tags), and hpricot (to close open tags) and stuff into comment_html (via a before_save method). Display comment_html but let the user re- edit comment_text -- which gets cleaned back up and saved in comment_html. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
I released another (Cross Site Sniper) earlier this week.... http://xss.rubyforge.org/ Peter De Berdt wrote:> On 01 Feb 2008, at 11:17, Fjan wrote: > > >> I use a call to the sanitize method every time I render some user >> input, but it would be much nicer if I could clean it up once before >> putting it into the database and avoid having to call the (relatively >> expensive) sanitize every time I render a page. >> >> My first thought was to just add something like: >> >> def message=(x) >> self[:message]=sanitize(x) >> end >> >> However, the sanitize helper cannot be called from inside a model. So >> what would be an elegant way to do this? Stuffing this inside the >> controller seems awkward (and I would have to put it in several >> places). >> >> Any thoughts? >> > > Although I''m against destructive actions on user entered data (if you > sanitize before saving, you can never recover what the user initially > entered), there''s a plugin that does just that: > http://agilewebdevelopment.com/plugins/acts_as_sanitized > > If you want to do it automatically so you don''t have to call h or > sanitize in your views, you could use xss_terminate: > http://agilewebdevelopment.com/plugins/xss_terminate > > You could have easily found this yourself by having a quick search at > the agilewebdevelopment site: > http://agilewebdevelopment.com/plugins/search?search=sanitize > > > Best regards > > Peter De Berdt > > > > > >-- http://www.5valleys.com/ http://www.workingwithrails.com/person/8078 --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---