If this is a really stupid noob question I apologize in advance, and appreciate any answers I get from this. I made a blog with rails, and just finished with the design. Upon creating my first real post, I realized I couldn''t put links in my posts. I mean I can write links yes, but what I want to do is this: [code] blah blah blah <a href="http://www.site.com">site</a> blah blah blah [/code] So I really have no idea what to do. I googled html filters, url filters, and url parsers for about an hour before I posted this, so any information would be helpful. Thanks :D -- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Tue, Aug 17, 2010 at 11:18, Kaspir Ghost <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I couldn''t put links in my > posts. I mean I can write links yes, but what I want to do is this: > > [code] > blah blah blah <a href="http://www.site.com">site</a> blah blah blah > [/code]Looks to me like you''re running afoul of HTML sanitization. This is in fact for your (or rather, your users'') protection, against cross-site-scripting attacks. If you REALLY want to do that sort of thing, you can explicitly mark the string as being already HTML-safe. I''ll leave it to you to find out how to do that, as this is a serious vulnerability, not to be left unprotected-against lightly. Alternately, there are probably some plugins/gems/whatever that will let your users insert a *limited subset* of tags, including links... though of course the targets may contain cross-site-scripting attacks.... -Dave -- Specialization is for insects. -RAH | Have Pun, Will Babble! -me Programming Blog: http://codosaur.us | Work: http://davearonson.com Leadership Blog: http://dare2xl.com | Play: http://davearonson.net * * * * * WATCH THIS SPACE * * * * * | Ruby: http://mars.groupsite.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On 17 August 2010 16:18, Kaspir Ghost <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> If this is a really stupid noob question I apologize in advance, and > appreciate any answers I get from this. > > I made a blog with rails, and just finished with the design. Upon > creating my first real post, I realized I couldn''t put links in my > posts. I mean I can write links yes, but what I want to do is this: > > [code] > blah blah blah <a href="http://www.site.com">site</a> blah blah blah > [/code] > > So I really have no idea what to do. I googled html filters, url > filters, and url parsers for about an hour before I posted this, so any > information would be helpful. Thanks :DDo you mean that you want the poster to be able to type <a href="http....> (which is dangerous as Dave has pointed out) or that you want the poster just to type www.site.com and that you will automatically turn this into a link (in which case you could use regular expressions to generate the links)? Colin -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
Dave Aronson wrote:> On Tue, Aug 17, 2010 at 11:18, Kaspir Ghost <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> > wrote: > >> I couldn''t put links in my >> posts. I mean I can write links yes, but what I want to do is this: >> >> [code] >> blah blah blah <a href="http://www.site.com">site</a> blah blah blah >> [/code] > > Looks to me like you''re running afoul of HTML sanitization. This is > in fact for your (or rather, your users'') protection, against > cross-site-scripting attacks. If you REALLY want to do that sort of > thing, you can explicitly mark the string as being already HTML-safe. > I''ll leave it to you to find out how to do that, as this is a serious > vulnerability, not to be left unprotected-against lightly. > > Alternately, there are probably some plugins/gems/whatever that will > let your users insert a *limited subset* of tags, including links... > though of course the targets may contain cross-site-scripting > attacks.... > > -DaveThanks for your reply! I am the only user on the site. Does either option still present a threat for me?> > -- > Specialization is for insects. -RAH �| Have Pun, Will Babble! -me > Programming Blog: http://codosaur.us | Work: http://davearonson.com > Leadership Blog: �http://dare2xl.com | Play: http://davearonson.net > * * * * * WATCH THIS SPACE * * * * * | Ruby: http://mars.groupsite.com-- Posted via http://www.ruby-forum.com/. -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
On Tue, Aug 17, 2010 at 11:32, Kaspir Ghost <lists-fsXkhYbjdPsEEoCn2XhGlw@public.gmane.org> wrote:> I am the only user on the site. Does either option still present a > threat for me?If you allow people to comment, then their comments must likewise be sanitized. If you do not, then that is an indirect hazard to you -- allowing common attack vectors like XSS vulnerabilities to go unaddressed, is hazardous to your professional reputation. :-) IOW, don''t just do it because of any direct immediate threat to you. Do it because it''s The Right Thing To Do. -Dave -- Specialization is for insects. -RAH | Have Pun, Will Babble! -me Programming Blog: http://codosaur.us | Work: http://davearonson.com Leadership Blog: http://dare2xl.com | Play: http://davearonson.net * * * * * WATCH THIS SPACE * * * * * | Ruby: http://mars.groupsite.com -- You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.