search for: xssfoliat

Synopsis ---------- Loofah::HTML::Document#text emits unencoded HTML entities prior to 0.4.6. This was originally by design, since the output of #text is intended to be used in a non-HTML context (such as generation of human-readable text documents). However, Loofah::XssFoliate''s default behavior and Loofah::Helpers#strip_tags both use #text to strip tags out of the output, meaning that the following input: &lt;script&gt;alert(''evil!'');&lt;/script&gt; would be rendered as <script>alert(''evil!'');&lt...

.../tt> and <tt>&gt;</tt> entities. * _Whitewash_ the markup, removing all attributes and namespaced nodes. * Format the markup as plain text. * Replacements for Rails''s +strip_tags+ and +sanitize+ helper methods. * TWO! Count them, TWO! ActiveRecord extensions:   * Loofah::XssFoliate (an XssTerminate[http://github.com/look/xss_terminate/tree/master] drop-in replacement) is an *opt-out* sanitizer; by default all models and attributes are sanitized.   * Loofah::ActiveRecordExtension is an *opt-in* sanitizer; you must explicitly declare attributes to be sanitized. * 99 44/100 % p...