SpringFlowers AutumnMoon
2009-Apr-22 15:27 UTC
what escape or sanitize functions are out there?
i found the following functions or method to escape HTML, URL params, or Javascript data: <%= h @ha %> <%= sanitize @ha %> <%= u @ha %> <%= @ha.to_json %> <%= strip_tags @ha %> are they more functions or methods to do these things? and are there alternative ways to do that? thanks. -- Posted via http://www.ruby-forum.com/.
i have been using the xss_terminate plugin: http://github.com/look/xss_terminate/tree/master basically it sanitizes values before they are stored in the database: "Installing the plugin creates a +before_save+ hook that will strip HTML tags from all string and text fields. No further configuration is necessary if this is what you want. To customize the behavior, you use the +xss_terminate+ class method." -- Posted via http://www.ruby-forum.com/.
SpringFlowers AutumnMoon
2009-Apr-22 21:10 UTC
Re: what escape or sanitize functions are out there?
PP Junty wrote:> i have been using the xss_terminate plugin: > > http://github.com/look/xss_terminate/tree/master > > basically it sanitizes values before they are stored in the database: > > "Installing the plugin creates a +before_save+ hook that will strip HTML > tags > from all string and text fields. No further configuration is necessary > if this > is what you want. To customize the behavior, you use the +xss_terminate+ > class > method."somebody also suggested replacing all "<" with "< " and seems like it can be a very rude form of preventing malicious code? thanks. -- Posted via http://www.ruby-forum.com/.