Rails - May 2009 - Prevent HTML input

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj

What do you mean by preventing the form from accepting html input?  Do you
want to prevent input while the user is typing, to check it in the browser
when the user clicks submit and not submit if there is html, or to parse the
data in the controller after it is submitted and fail validation if
necessary?

Note that the first two of these would not prevent someone posting html in
the form by manually building the post request rather than using your form
in a browser.

Colin

2009/5/9 pankaj <pankajbhageria-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> Hi all,
> Is there any plugin to prevent html form accepting HTML in the input,
> throughout the application.
> Regards,
> Pankaj
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

I want to parse the data on the server side after it is submitted and
fail validation if necessary?
Regards,
Pankaj

On May 9, 1:05 pm, Colin Law
<clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org>
wrote:
> What do you mean by preventing the form from accepting html input?  Do you
> want to prevent input while the user is typing, to check it in the browser
> when the user clicks submit and not submit if there is html, or to parse
the
> data in the controller after it is submitted and fail validation if
> necessary?
>
> Note that the first two of these would not prevent someone posting html in
> the form by manually building the post request rather than using your form
> in a browser.
>
> Colin
>
> 2009/5/9 pankaj
<pankajbhage...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
>
>
> > Hi all,
> > Is there any plugin to prevent html form accepting HTML in the input,
> > throughout the application.
> > Regards,
> > Pankaj

hi,

just strip all the html tags, eg

def save_form
  
params[:form][''textarea''].gsub!(/<[^>]*>/,'''')
   ...
end

but that''s very simple example, you have probably to construct more 
sophisticated solution (strip code inside javascripts etc)

tom

pankaj wrote:
> Hi all,
> Is there any plugin to prevent html form accepting HTML in the input,
> throughout the application.
> Regards,
> Pankaj
> 
-- 
==============================================================================Tomas
Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com  www.maxwellrender.cz  www.lightgems.cz
===============================================================================

How can this save form function be called for all the params passed?

On May 9, 4:12 pm, Tom Z Meinlschmidt <to...@meinlschmidt.org>
wrote:
> hi,
>
> just strip all the html tags, eg
>
> def save_form
>    params[:form]['textarea'].gsub!(/<[^>]*>/,'')
>    ...
> end
>
> but that's very simple example, you have probably to construct more
> sophisticated solution (strip code inside javascripts etc)
>
> tom
>
> pankaj wrote:
> > Hi all,
> > Is there any plugin to prevent html form accepting HTML in the input,
> > throughout the application.
> > Regards,
> > Pankaj
>
> --
>
==============================================================================>
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
>
> www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
>
==============================================================================--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

params[:form].each{|k,v| v.gsub!(/<[^>]*>/,'''') }

pankaj wrote:
> How can this save form function be called for all the params passed?
> 
> On May 9, 4:12 pm, Tom Z Meinlschmidt
<to...-ooGa/4BNRfSw0JuIXryQZA@public.gmane.org> wrote:
>> hi,
>>
>> just strip all the html tags, eg
>>
>> def save_form
>>   
params[:form][''textarea''].gsub!(/<[^>]*>/,'''')
>>    ...
>> end
>>
>> but that''s very simple example, you have probably to construct
more
>> sophisticated solution (strip code inside javascripts etc)
>>
>> tom
>>
>> pankaj wrote:
>>> Hi all,
>>> Is there any plugin to prevent html form accepting HTML in the
input,
>>> throughout the application.
>>> Regards,
>>> Pankaj
>> --
>>
==============================================================================>>
Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
>>
>> www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
>>
==============================================================================>
>

-- 
==============================================================================Tomas
Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache

www.meinlschmidt.com  www.maxwellrender.cz  www.lightgems.cz
===============================================================================

I'd also recommend that you use a somewhat more intelligent solution -
take a look at SanitizeHelper, part of ActionView:

http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

There's a lot of gotchas in trying to clean up user input, so it's
better if you can use a well-tested solution.

--Matt Jones

On May 9, 8:43 am, Tom Z Meinlschmidt <to...@meinlschmidt.org>
wrote:
> params[:form].each{|k,v| v.gsub!(/<[^>]*>/,'') }
>
>
>
> pankaj wrote:
> > How can this save form function be called for all the params passed?
>
> > On May 9, 4:12 pm, Tom Z Meinlschmidt <to...@meinlschmidt.org>
wrote:
> >> hi,
>
> >> just strip all the html tags, eg
>
> >> def save_form
> >>  
 params[:form]['textarea'].gsub!(/<[^>]*>/,'')
> >>    ...
> >> end
>
> >> but that's very simple example, you have probably to construct
more
> >> sophisticated solution (strip code inside javascripts etc)
>
> >> tom
>
> >> pankaj wrote:
> >>> Hi all,
> >>> Is there any plugin to prevent html form accepting HTML in the
input,
> >>> throughout the application.
> >>> Regards,
> >>> Pankaj
> >> --
> >>
===========================================================================
===> >> Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp
Filer/NetCache
>
> >>www.meinlschmidt.comwww.maxwellrender.czwww.lightgems.cz
> >>
===========================================================================
===>
> --
> ===========================================================================
===> Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp Filer/NetCache
>
> www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
> ===========================================================================
===--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

thanks everyone for your replies.
I want to use the sanitize helper in one central location, so that i
donot have write it for each form.
Regards,
Pankaj

On May 9, 8:39 pm, Matt Jones
<al2o...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I''d also recommend that you use a somewhat more intelligent
solution -
> take a look at SanitizeHelper, part of ActionView:
>
> http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper....
>
> There''s a lot of gotchas in trying to clean up user input, so
it''s
> better if you can use a well-tested solution.
>
> --Matt Jones
>
> On May 9, 8:43 am, Tom Z Meinlschmidt
<to...-ooGa/4BNRfSw0JuIXryQZA@public.gmane.org> wrote:
>
> > params[:form].each{|k,v|
v.gsub!(/<[^>]*>/,'''') }
>
> > pankaj wrote:
> > > How can this save form function be called for all the params
passed?
>
> > > On May 9, 4:12 pm, Tom Z Meinlschmidt
<to...-ooGa/4BNRfSw0JuIXryQZA@public.gmane.org> wrote:
> > >> hi,
>
> > >> just strip all the html tags, eg
>
> > >> def save_form
> > >>  
 params[:form][''textarea''].gsub!(/<[^>]*>/,'''')
> > >>    ...
> > >> end
>
> > >> but that''s very simple example, you have probably to
construct more
> > >> sophisticated solution (strip code inside javascripts etc)
>
> > >> tom
>
> > >> pankaj wrote:
> > >>> Hi all,
> > >>> Is there any plugin to prevent html form accepting HTML
in the input,
> > >>> throughout the application.
> > >>> Regards,
> > >>> Pankaj
> > >> --
> > >>
===========================================================================
===> > >> Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp
Filer/NetCache
>
> > >>www.meinlschmidt.comwww.maxwellrender.czwww.lightgems.cz
> > >>
===========================================================================
===>
> > --
> >
===========================================================================
===> > Tomas Meinlschmidt, MS {MCT, MCP+I, MCSE, AER}, NetApp
Filer/NetCache
>
> >www.meinlschmidt.com www.maxwellrender.cz www.lightgems.cz
> >
=========================================================================== ====

On 09/05/2009, at 6:05 PM, Colin Law
<clanlaw-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
> What do you mean by preventing the form from accepting html input?   
> Do you want to prevent input while the user is typing, to check it  
> in the browser when the user clicks submit and not submit if there  
> is html, or to parse the data in the controller after it is  
> submitted and fail validation if necessary?
>
He means is there JavaScript client side validation to save a server  
round trip for validation? I reckon that oughta be in rails 3 form  
helpers.

Blog: http://random8.zenunit.com/
Learn: http://sensei.zenunit.com/
Twitter: http://twitter.com/random8r

> Note that the first two of these would not prevent someone posting  
> html in the form by manually building the post request rather than  
> using your form in a browser.
>
> Colin
>
> 2009/5/9 pankaj
<pankajbhageria-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> Hi all,
> Is there any plugin to prevent html form accepting HTML in the input,
> throughout the application.
> Regards,
> Pankaj
>
>
>
> >
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Pankaj,

You''d like a look at the XSS Terminate plugin. github.com/look/
xss_terminate/tree/master

Install and forget ... as the Readme says. :)

On May 11, 6:23 am, Julian Leviston
<jul...-AfxEtdRqmE/tt0EhB6fy4g@public.gmane.org>
wrote:
> On 09/05/2009, at 6:05 PM, Colin Law
<clan...-gM/Ye1E23mwN+BqQ9rBEUg@public.gmane.org> wrote:
>
> > What do you mean by preventing the form from accepting html input?  
> > Do you want to prevent input while the user is typing, to check it  
> > in the browser when the user clicks submit and not submit if there  
> > is html, or to parse the data in the controller after it is  
> > submitted and fail validation if necessary?
>
> He means is there JavaScript client side validation to save a server  
> round trip for validation? I reckon that oughta be in rails 3 form  
> helpers.
>
> Blog:http://random8.zenunit.com/
> Learn:http://sensei.zenunit.com/
> Twitter:http://twitter.com/random8r
>
> > Note that the first two of these would not prevent someone posting  
> > html in the form by manually building the post request rather than  
> > using your form in a browser.
>
> > Colin
>
> > 2009/5/9 pankaj
<pankajbhage...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
>
> > Hi all,
> > Is there any plugin to prevent html form accepting HTML in the input,
> > throughout the application.
> > Regards,
> > Pankaj