Rails - Apr 2008 - How to prevent user content from messing up my markup?

On my website, I have a page that allows users to leave comments.  I''m
using Rick Olson''s Whitelist plugin (http://svn.techno-weenie.net/
projects/plugins/white_list/) to only allow a, b and i tags in user
comments.  This works great to escape other HTML tags, but it still
allows the user to improperly use the allowed tags in a way that
screws up my markup.  For example, someone can use an opening i tag
and forget to close it.  My markup will of course no longer validate.
I don''t know how the different browsers handle it, but at least on
firefox, everything after the opening i tag will be italics.

How do I prevent user content that can contain a few whitelisted html
tags from screwing up my markup?

Thanks!
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On 18 Apr 2008, at 03:32, Myron Marston wrote:
>
> On my website, I have a page that allows users to leave comments. 
I''m
> using Rick Olson''s Whitelist plugin (http://svn.techno-weenie.net/
> projects/plugins/white_list/) to only allow a, b and i tags in user
> comments.  This works great to escape other HTML tags, but it still
> allows the user to improperly use the allowed tags in a way that
> screws up my markup.  For example, someone can use an opening i tag
> and forget to close it.  My markup will of course no longer validate.
> I don''t know how the different browsers handle it, but at least on
> firefox, everything after the opening i tag will be italics.
>
> How do I prevent user content that can contain a few whitelisted html
> tags from screwing up my markup?
You could always check if the markup is valid, and if not just escape  
all the html out of it.

Fred

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

On Apr 18, 2008, at 12:52 PM, Frederick Cheung wrote:
>
>
> On 18 Apr 2008, at 03:32, Myron Marston wrote:
>
>>
>> On my website, I have a page that allows users to leave comments.   
>> I''m
>> using Rick Olson''s Whitelist plugin
(http://svn.techno-weenie.net/
>> projects/plugins/white_list/) to only allow a, b and i tags in user
>> comments.  This works great to escape other HTML tags, but it still
>> allows the user to improperly use the allowed tags in a way that
>> screws up my markup.  For example, someone can use an opening i tag
>> and forget to close it.  My markup will of course no longer validate.
>> I don''t know how the different browsers handle it, but at
least on
>> firefox, everything after the opening i tag will be italics.
>>
>> How do I prevent user content that can contain a few whitelisted html
>> tags from screwing up my markup?
>
> You could always check if the markup is valid, and if not just escape
> all the html out of it.
>
> Fred

Use Hpricot?

irb> require ''rubygems''; gem ''hpricot''
=> true
irb> require ''hpricot''
=> true
irb> h = Hpricot("<b>bold<i>italic, too</b>")
=> #<Hpricot::Doc {elem <b> "bold" {elem <i>
"italic, too"} </b>}>
irb> h.to_html
=> "<b>bold<i>italic, too</i></b>"

Note that the closing </i> is added.

-Rob

Rob Biedenharn		http://agileconsultingllc.com
Rob-xa9cJyRlE0mWcWVYNo9pwxS2lgjeYSpx@public.gmane.org

Guys, thanks for your help.  Hpricot worked like a charm.  I had heard
of hpricot before but had forgotten about it and never tried it.

On Apr 19, 3:00 am, Rob Biedenharn
<R...-xa9cJyRlE0mWcWVYNo9pwxS2lgjeYSpx@public.gmane.org>
wrote:
> On Apr 18, 2008, at 12:52 PM, Frederick Cheung wrote:
>
>
>
>
>
> > On 18 Apr 2008, at 03:32, Myron Marston wrote:
>
> >> On my website, I have a page that allows users to leave comments.
> >> I''m
> >> using Rick Olson''s Whitelist plugin
(http://svn.techno-weenie.net/
> >> projects/plugins/white_list/) to only allow a, b and i tags in
user
> >> comments.  This works great to escape other HTML tags, but it
still
> >> allows the user to improperly use the allowed tags in a way that
> >> screws up my markup.  For example, someone can use an opening i
tag
> >> and forget to close it.  My markup will of course no longer
validate.
> >> I don''t know how the different browsers handle it, but at
least on
> >> firefox, everything after the opening i tag will be italics.
>
> >> How do I prevent user content that can contain a few whitelisted
html
> >> tags from screwing up my markup?
>
> > You could always check if the markup is valid, and if not just escape
> > all the html out of it.
>
> > Fred
>
> Use Hpricot?
>
> irb> require ''rubygems''; gem
''hpricot''
> => true
> irb> require ''hpricot''
> => true
> irb> h = Hpricot("<b>bold<i>italic,
too</b>")
> => #<Hpricot::Doc {elem <b> "bold" {elem <i>
"italic, too"} </b>}>
> irb> h.to_html
> => "<b>bold<i>italic, too</i></b>"
>
> Note that the closing </i> is added.
>
> -Rob
>
> Rob Biedenharn          http://agileconsultingllc.com
> R...-xa9cJyRlE0mWcWVYNo9pwxS2lgjeYSpx@public.gmane.org
>
>  smime.p7s
> 3KDownload
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---